From a friend of mine that might have has some insight:
the LDAP_CONNECT is doing the right thing according to php.net
<
http://php.net>:
Returns a positive LDAP link identifier on success, or |*FALSE*|on
error. When OpenLDAP 2.x.x is used, *ldap_connect()* will always return
a resource <
http://www.php.net/manual/en/language.types.resource.php> as
it does not actually connect but just initializes the connecting
parameters. The actual connect happens with the next calls to ldap_*
funcs, usually with ldap_bind()
<
http://www.php.net/manual/en/function.ldap-bind.php>.
Easily, the number one & two reasons LDAP does not work on AD is that it
is not exposed or the VLAN is restricting access to it.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----------------------
The environment is a single server running Win Server 2008 R2 Standard
with SP1 with Apache 2.2 and PHP 5.3.19.
I have a PHP script that attempts to do an LDAP bind to the Win Server
2008 R2 Active Directory and fails no matter what variations I try. I
put in a lot of echos to see the results at each step, and I've
discovered that ldap_connect ALWAYS connects. I can put total garbage
in the URL and it never fails. The latest iteration of my PHP script
does an anonymous bind, then does an ldap_search, which fails.
Here's the script (actual domain, user& pswd changed):
<?php
define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
echo "<br>LDAP set debug level: " . ldap_errno($ad) . ' ' .
ldap_error($ad);
$LDAPhost = '
ldap://myDomain.com';
$LDAPport = '3268';
$ad = ldap_connect($LDAPhost, $LDAPport);
echo "<br>LDAP connect to $LDAPhost: " . ldap_errno($ad) . ' ' .
ldap_error($ad);
if ($ad) {
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
echo "<br>LDAP set protocol to version 3: " . ldap_errno($ad) .
' ' . ldap_error($ad);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
echo "<br>LDAP set referrals to 0: " . ldap_errno($ad) . ' ' .
ldap_error($ad);
$bind = ldap_bind($ad);
echo "<br>LDAP bind: " . ldap_errno($ad) . ' ' . ldap_error($ad);
$baseDN = 'CN=Users,DC=myDomain,DC=com';
$filter = '(objectClass=*)';
$search = ldap_search($ad, $baseDN, $filter);
echo "<br>LDAP search $baseDN $filter: " . ldap_errno($ad) . '
' . ldap_error($ad);
if ($rec = ldap_get_entries($ad, $search)) {
echo "<br>LDAP get entries: " . ldap_errno($ad) . ' ' .
ldap_error($ad);
for ($i = 0; $i< $rec["count"]; $i++) {
echo "<br>$rec[0]['uid'][0]";
echo "<br>$rec[0]['givenname'][0]";
}
} else {
echo '<br>Record not found.';
}
ldap_close($ad);
} else {
echo '<br><br>Could not connect.';
}
?>
The displayed results are:
LDAP set debug level:
LDAP connect to
ldap://myDomain.com: 0 Success
LDAP set protocol to version 3: 0 Success
LDAP set referrals to 0: 0 Success
LDAP bind: 0 Success
LDAP search CN=Users,DC=myDomain,DC=com (objectClass=*): 1 Operations
error
Record not found.
I would love to know exactly what to put as the base DN, i.e. what is
ldap_bind comparing these values to? Something in Active Directory?
Something in the registry? Something else?
Searching for this stuff turns up lots of examples, but none that work
for me. Any ideas?
--
*Peter Dow* /
Dow Software Services, Inc.
909 793-9050
petercdow@xxxxxxxxx <mailto:petercdow@xxxxxxxxx> <mailto:petercdow@xxxxxxxxx>
pdow@xxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxx> <mailto:pdow@xxxxxxxxxxxxxx>/
midrange.com
