4

I am using the adldap plugin to connect to a Windows Server AD but my issue is with php ldap_bind as far as I can tell.

When a user types in an incorrect password, the error returned from ldap_error (which is used by adldap) is 'Invalid Credentials'. So far so good.

The problem arises when a user's password expires or in AD the user is set to change password on next logon (new user, password reset, etc). In this case whatever password the user enters to authenticate, ldap_error returns 'Invalid Credentials'. This means that I cannot tell if the user actually knows the expired password or not.

Has anyone got any idea how I can get around this issue?

Mark A. Tagliaferro
  • 157
  • 2
  • 10
  • You should be able to get the "real" bind error from the server which will provide more information. Then you can check at https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors for details. – jwilleke Jul 13 '15 at 14:07

1 Answers1

4

Since I had the same problem I searched and found a solution.

define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032)

$handle = ldap_connect('ldap://active.directory.server/');
$bind = ldap_bind($handle, 'user', 'expiredpass');

if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
    echo "Error Binding to LDAP: $extended_error";
} else {
    echo "Error Binding to LDAP: No additional information is available.";
}

This returns something like this:

Error Binding to LDAP: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 773, v2580

Important part is the Code after 'data' which represents the LDAP sub codes for error code 49.

You may parse the sub code using this function:

function parseExentedLdapErrorCode($message) {
    $code = null;
    if (preg_match("/(?<=data\s).*?(?=\,)/", $message, $code)) {
        return $code[0];
    }
    return null;
}
James MV
  • 8,569
  • 17
  • 65
  • 96
Karl Adler
  • 15,780
  • 10
  • 70
  • 88