9

We have several AD servers with established forest trust between them, so Windows users from different domains are able to get access to restricted resources. Suppose we have domainA.com and domainB.com, so any user from the domain domainB.com can login to resource on domainA.com. For security reasons anonymous access to LDAP servers is disabled by administrators.

Now we need to list all users from all LDAP servers in our PHP code with the help of OpenLDAP client. Below is PHP code to get info about all users from domainB.com

define('USER', 'user@domainA.com'); // User from domainA.com here
$ldap = ldap_connect('domainB.com') or die('Bad connection');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_bind($ldap, USER, PASS) or die('Cannot bind');

My script dies with message "Cannot bind" with ldap error "49 Invalid credentials". Additional info from AD:
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

I think that the problem is with simple authentication mechanism, because when I use GSS Negotiate authentication in the Ldap Administrator client with the same credentials for user@domainA.com everything is ok.

What can I do to make successful bind on domainB.com with credentials from user@domainA.com?

UPD1 Authentication with SASL DIGEST-MD5

ldap_sasl_bind ( $ldap, '', $pass, 'DIGEST-MD5', null, 'user@domainA.com');

Logs from AD:

The computer attempted to validate the credentials for an account.

Authentication Package: WDigest
Logon Account:  user
Source Workstation: DOMAINA
Error Code: 0xc000006a

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       user@domainA.com
    Account Domain:     domainA.com

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:         0xc000006d
    Sub Status:     0xc000006d

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   -
    Source Network Address: 
    Source Port:        

Detailed Authentication Information:
    Logon Process:      WDIGEST
    Authentication Package: WDigest
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
lisachenko
  • 5,952
  • 3
  • 31
  • 51

2 Answers2

2

I've experienced this issue when configuring Moodle, which uses PHP LDAP libs and OpenLDAP to connect to AD servers. The solution was pretty simple, and one of two things, (which really just boiled down to one thing):

  1. Use the unscoped username (i.e. no '@example.com' after the username)
  2. Use the DOMAIN\username

Basically, the one thing it boiled down to was getting the correct, expected username syntax. I think this is dependent on the particular AD configuration, because I have seen four types of usernames that work, on various AD servers: Full DN, scoped username (i.e. looks like an email address), DOMAIN\username, and plain username.

JDS
  • 1,869
  • 1
  • 15
  • 17
  • I think option 2 here is best. That format is [specifically used](http://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) to indicate user and a domain for authentication. – Shane Dec 19 '13 at 03:52
  • The second option worked for me in Windows 7, where the Domain and User Name can be found in `Control Panel\User Accounts\User Accounts > Manage User Accounts` (in the User Accounts window, Users tab) – ROMANIA_engineer Nov 18 '15 at 13:26
1

When you specifiy the user in ldap_bind, can you try to put your user DN like this :

$bind = ldap_bind($resource, 'cn=jpb,cn=users,dc=dom,dc=fr', '***');

Another thing, in your 'Active-Directory Forest' you've got one or more domain controler which support a directory called 'Global Catalog' (GC). The GC contains all the object of all the Directories of your forest.

Edited You can try to bind with SASL

$ldap = ldap_connect('domainB.com');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); 
ldap_sasl_bind ( $conn, NULL,"password",'DIGEST-MD5',NULL,'user@domainA.com',NULL);
JPBlanc
  • 70,406
  • 17
  • 130
  • 175
  • I try to bind with my user DN "CN=user, OU=Special Users, DC=domainA, DC=com" and answer is "Invalid credentials". Global Catalogue is interesting, but it doesn't work for me too. – lisachenko Jul 08 '11 at 09:14
  • Using simple bind, you have to bind with a user of DomainB directory ! You must use SALS to bind with a DomainA user – JPBlanc Jul 08 '11 at 11:52
  • There is ldap_sasl_bind() function in PHP for SASL binding, but I can't found any good examples how to make Kerberos or NTLM authentication. Have you any experience with SASL authentication from PHP code? – lisachenko Jul 08 '11 at 12:22
  • I'm grateful to you! I'll try to build PHP with SASL-LDAP today and check SASL authentication. I'm hope that everything will become work. – lisachenko Jul 11 '11 at 09:55
  • I have build the PHP with SASL and have tried to authenticate using DIGEST-MD5, but the result is still negative. I edit the question for DIGEST-MD5 authentication and add some logs from AD. – lisachenko Jul 14 '11 at 07:03