0

I've got the following test script running well (returns a 200 HTTP response) on my local machine (Windows 7 with PHP 5.6). However, when I move this script to our Linux dev server (PHP 5.6, with LDAP enabled), ldap_error() returns with the error: "Encoding error" from the LDAP server (via PHP).

I cannot figure out why this would be. The LDAP server is running LDAP version 3 (UTF-8 charset by default). I tried adding ini_set('default_charset', 'UTF-8'); at the top of my script to ensure that I was sending UTF-8 passwords/usernames. I also tried wrapping my user/pass in utf8_encode() but this didn't seem to make any difference. The script still worked well on my local machine, but did not on the Linux dev server.

Does anyone has experience with this error? I'm starting to think that this may not be an encoding issue. Could it be an SSL issue? I don't have an SSL cert installed on my localhost and the LDAP server accepts connections on port 389 (the default LDAP port) and over ldaps.

Thanks for your help.

<?php

ini_set('default_charset', 'UTF-8');
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

if (empty($_POST['username']) || empty($_POST['password'])) {
  header('HTTP/1.0 500 Internal Server Error');
  die('No credentials sent. Send a POST request with credentials.');
}

$username = $_POST['username'];
$password = $_POST['password'];

// https://stackoverflow.com/a/7586808/1171790
putenv('LDAPTLS_REQCERT=never');

// https://stackoverflow.com/questions/24522383/php-ldap-opt-debug-level-7-not-tracing
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

//$ldap = ldap_connect('ldaps://idir.bcgov:636');
$ldap = ldap_connect('ldap://idir.bcgov:389');
$ldaprdn = 'idir'.'\\'.$username;

ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = @ldap_bind($ldap, $ldaprdn, $password);

if (ldap_error($ldap) !== 'Success') {

  header('HTTP/1.0 500 Internal Server Error');

  echo 'ldap_error(): '.ldap_error($ldap).PHP_EOL;

  ldap_get_option($ldap, LDAP_OPT_ERROR_STRING, $err);
  echo "ldap_get_option (LDAP_ENCODING_ERROR): $err".PHP_EOL;

  ldap_get_option($ldap, LDAP_OPT_DEBUG_LEVEL, $err2);
  echo "ldap_get_option (LDAP_OPT_DEBUG_LEVEL): $err2".PHP_EOL;

}

// Check if we have a connection.
// Did our LDAP connection get bound with the credentials provided?
// If not, perhaps the credentials are incorrect???
if ($bind) {

  echo 'Holy geez! LDAP is bound!'.PHP_EOL;

  $user = array();

  $filter = "(sAMAccountName=$username)";
  $result = ldap_search($ldap, "DC=idir,DC=BCGOV", $filter);

  // Sort the returned results from Active Directory.
  ldap_sort($ldap, $result, "sn");
  // The user's info/data.
  $info = ldap_get_entries($ldap, $result);

  for ($i = 0; $i < $info["count"]; $i++) {

    if ($info['count'] > 1) {
      break;
    }

    $user['distinguishedname'] = $info[$i]['distinguishedname'][0];

  }

  // Close the connection to LDAP.
  @ldap_close($ldap);

  print_r($user);

} else {

  // Our credentials did not validate.
  header('HTTP/1.0 500 Internal Server Error');
  die('Could not bind to LDAP.');

}
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
jonathanbell
  • 2,507
  • 5
  • 23
  • 40
  • Why do you check for the LDAP-error before checking for the bind? – heiglandreas Feb 08 '18 at 06:08
  • @heiglandreas *I think* because `$bind = @ldap_bind($ldap, $ldaprdn, $password);` sets the `$bind` variable if successful. Then I do `if (ldap_error($ldap) !== 'Success')` I'll try moving `ldap_error($ldap)` to after `if ($bind)` – jonathanbell Feb 08 '18 at 17:06
  • ldap_bind returns true on successfull bind and false on unsuccessfull. so if you only want to check for a correct bind that's what I'd check. If bind fails (and the return value is false) I'd THEN check the error result... – heiglandreas Feb 08 '18 at 17:09
  • @heiglandreas I moved the `ldap_error()` after `if ($bind)` into the `else` and got the same error. – jonathanbell Feb 08 '18 at 17:10
  • what exactly is the username on a binary level. can you echo bin2hex($_POST['username']); ? And perhaps the password? are there any characters above 0x80? if so which ones? – heiglandreas Feb 08 '18 at 17:30
  • @heiglandreas I'm not comfortable posting the user or pass in hex online but I did check. No characters above 0x80. Thank you for your attention though. – jonathanbell Feb 09 '18 at 17:52

0 Answers0