8

I have a PHP script which does a LDAP connect, bind and search. It is working very well with most of the Active Directory servers, however one of our clients has a problem. The script returns

Strong(er) authentication required.

error when trying ldap_bind.

All the searches I made directed me to two possible problems:

  1. I have to set LDAP_OPT_PROTOCOL_VERSION to 3 - which I do and did before, so this can not be my problem.
  2. The AD server is configured to use SSL authentication - but our client insists that it is a default Windows 2008 R2 server installation, and that does not default to SSL for sure.

What other causes could be for this error to happen?

UPDATE

It was SSL required on Active Directory server ...

Gottlieb Notschnabel
  • 9,408
  • 18
  • 74
  • 116
Patkos Csaba
  • 682
  • 2
  • 9
  • 16
  • 2
    Are you connecting using ldaps:// on the ssl port? If you ommit the ldaps:// - then PHP will attempt to do an unencrypted bind – Jon Skarpeteig May 16 '11 at 11:27
  • Bet you a nickle that Jon Skarpeteig is right, I had the exact same problem until I explicity used ldaps. check phpinfo() under the LDAP section to make sure it has SASL support – David May 16 '11 at 21:57
  • I know about ldaps:// and it is extremely difficult to configure. Export the certificates from the AD server, copy them on the Linux machine, convert them to pem, convince openssl to use them ... So, I am not using ldaps://, and as far as I know that AD server doesn't require secure authentication, at least our client tells us that it is a basic install ... unfortunately I can't check it by myself and on every AD server I tried the script it was working perfectly, except the above mentioned one. – Patkos Csaba May 17 '11 at 13:39
  • It is so odd that the problem does not appear when I execute `ldap_add()`. – Casper Mar 08 '17 at 12:54

4 Answers4

6

You have to use ldaps:// if it's required by the Active Directory server. If it's a problem with invalid certificate authority, you can ignore the validity in windows by issuing

putenv('LDAPTLS_REQCERT=never');

in your php code. In *nix you need to edit your /etc/ldap.conf to contain

TLS_REQCERT never

For other common problems, you can refer to my post at PHP cannot connect to LDAP Oracle Directory Server Enterprise Edition

For working example code, you can have a look at: Problems with secure bind to Active Directory using PHP

Community
  • 1
  • 1
Jon Skarpeteig
  • 4,118
  • 7
  • 34
  • 53
1

I had the same problem and it seems that there was a typo in my bind_rdn, so make sure that the credentials are correct.

Gottlieb Notschnabel
  • 9,408
  • 18
  • 74
  • 116
bogtan
  • 825
  • 2
  • 13
  • 23
0

The message "Strong(er) authentication required" appears also if you try to update a LDAP entity using :

  • ldap_modify
  • ldap_mod_replace
  • ldap_modify_batch

Without calling the bind function with the optional parameters :

 string $bind_rdn = NULL [, string $bind_password = NULL

This code will not work:

$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = ldap_bind($ldap);

$userdata=array();
$userdata['userattribute'][0]='test';

ldap_modify ($ldap, "cn=myuser,dc=example,dc=com", $userdata);

This code works, note the different call to bind function:

$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = ldap_bind($ldap,'cn=admin,dc=example,dc=com','secretpassword');

$userdata=array();
$userdata['userattribute'][0]='test';

ldap_modify ($ldap, "cn=myuser,dc=example,dc=com", $userdata);
Matteo Conta
  • 1,423
  • 13
  • 17
0

This answer seems to be full, although short. It covers two options on how to handle the error.

sdd
  • 721
  • 9
  • 23