Php – LDAP Can’t perform an authenticated bind – Windows Server 2008 R2 Using PHP/Apache

active-directoryapache-2.2ldapPHPwindows-server-2008

I'm having issues performing an authenticated bind against the server. The issues doesn't appear to be in code however maybe a server issue.

Just so you know;

LDAP is enabled in Apache/PHP
I'm connecting as user@domain.com
The domain controller has LDAP running and an entry in the firewall (Windows Server 2008 R2) The issue might be here, this was setup as a DC and is running LDAP by default. I did no special configuration on LDAP
I can perform an anonymous bind but not an authenticated one

I can bind anonymously using this script;

$ldapconn = ldap_connect("machinename.domain.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding anonymously
    $ldapbind = ldap_bind($ldapconn);

    if ($ldapbind) {
        echo "LDAP bind anonymous successful...";
    } else {
        echo "LDAP bind anonymous failed...";
    }

}

However when I try to do an authenticated bind using this script, it fails.

// Authenticated Bind
$ldaprdn  = 'username@domain.com';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("machinename.domain.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

Where am I going wrong?

Best Answer

Okay, after much investigation I have turned on error info using ldap_errno() and ldap_error() and found it bringing back the error 'Strong(er) authentication required' have discovered two possible solutions;

Adjust Group Policy Settings

Negotiate Signing (Network security: LDAP client signing requirements)
No signing requirements (Domain Controller: LDAP server signing requirements)
Result: Managed to bind successfully and when I enter the username or password incorrectly and it throws an 'Invalid credentials' as expected.

Enable LDAP over SSL (LDAPS)

Related Solutions

Php – Binding to LDAP using SSL keeps failing – Windows Server 2008

Can you try running ldapsearch and giving us the error output? It would look something like this:

ldapsearch -x -d 1 -LLL -H ldaps://localhost -b 'dc=campus,dc=local' -D 'username' -W '(sAMAccountName=username)'

where the parameters are:

-x: forces the connection to use simple authentication instead of SASL (emulating the PHP ldap_bind() function)
-d 1: show debugging output, increase the number for more verbosity
-LLL: changes the output format to remove some LDIF information you don't need for debugging
-H: the host URI specifier; you can change this to "ldap://" to test non-SSL binding
-b: the bind DN
-D: the bind credential username, CN, or other identifying string
-W: forces ldapsearch to ask for a password

If you were using SASL to connect to an Active Directory server over LDAPS, it'd be necessary to set the "maxssf" parameter to zero. I'm not exactly sure how PHP's LDAP functions work, so it might be worth trying to set that parameter if you can figure out how.

Windows – Setting up LDAP connection between CentOS and Windows server 2008

The error message is fairly straightforward:

text: 000004DC: LdapErr: DSID-0C0906DC, comment: In order to perform this 
operation a successful bind must be completed on the connection., data 0

That means you need to authenticate before you can query the directory. A typical command line will look something like this:

ldapsearch -x -H ldaps://dc.example.com/ -D lars@example.com -W cn=lars

This connect using simple authentication (-x) to dc.example.com using LDAP over SSL (ldaps://). I am authenticating as lars@example.com and the command will prompt me for a password (-W). I am searching for records matching cn=lars.

You can also authenticate against AD using Kerberos. Assuming everything is set up correctly, that looks like:

$ kinit lars@example.com
Password for lars@EXAMPLE>COM: 
$ ldapsearch -H ldap://dc.example.com cn=lars

In either case, you generally want to create accounts specifically to act as bind credentials, rather than using an administrative or a user account.

It is possible to configure Active Directory to allow anonymous binds. It is also possible to set up something else -- e.g., OpenLDAP -- as an anonymous bind proxy for AD.

Best Answer

Related Solutions

Php – Binding to LDAP using SSL keeps failing – Windows Server 2008

Windows – Setting up LDAP connection between CentOS and Windows server 2008

Related Topic