[Ltb-users] Active Directory LDAPS issue

Scott Owen sowen at edzone.net
Thu Feb 7 16:45:30 CET 2013


Got it !!!!

I have a suspicion that I may have had a couple issues.

I changed the $ldap_url line as per your suggestion...

$ldap_url = "ldaps://myserver.almaschools.net ";

I was then getting this error:
LDAP - User XXXXXX not found, referer:

After looking at the "change.php" code, I realized that this error was AFTER the LDAPS bind etc.... and seemed to be a search error...
I went back to the config.inc.php file and verified that I had entered the appropriate base variable.

I had downloaded a better text editor (and quit using wordpad/notepad), to read the "change.php" code, and as soon as I opened and saved the config.inc.php file, everything started magically working.

I strongly suspect that I had a errant carriage return or space somewhere in the code, that just opening and closing the file with a REAL editor fixed the issue.

Thank you for your help, and thank you again for the wonderful scripts.

-Scott Owen
Alma Public Schools


 








>>> Clément OUDOT<clem.oudot at gmail.com> 2/7/2013 3:33 AM >>>



2013/2/6 Scott Owen <sowen at edzone.net>

Greetings all,
First, I would like to thank the dev's for making self service password a GPL project !!
It is exactly what I was looking for.
But I am having one problem.
For a web server I am using windows7 with WAMP http://www.wampserver.com/en/ this appears to be setup correctly and working fine.
The Self Service Password page displays correctly, with no errors.
The issue appears to be in my LDAPs connection string.
I installed ldp.exe ( http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm ) and I am able to connect to my AD server via SSL on port 636 from the Web Server.
I can Bind as the Administrator, and view my entire Directory Tree.
Below is the config I am using:
#==============================================================================
# Configuration
#==============================================================================
# LDAP
$ldap_url = "ldap://myserver.almaschools.net 636";
$ldap_binddn = "cn=Administrator,CN=Users,dc=almaschools,dc=net";
$ldap_bindpw = "mypassword";
$ldap_base = "OU=AlmaSchools,DC=Almaschools,DC=net";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
~~~~~the rest of the code
===============================================================================
changing 
$ldap_url = "ldap://myserver.almaschools.net 636";

to 
$ldap_url = "ldaps://myserver.almaschools.net ";
produces the following Apache error:
"LDAP - Bind error -1 (Can't contact LDAP server)"
changing 
$ldap_url = "ldap://myserver.almaschools.net 636";

to 
$ldap_url = "ldaps://myserver.almaschools.net 636 ";
produces the following Apache error:
"LDAP - User xxxxxx not found, referer:"
where xxxxx is the user that I attempt to login to the Self Service Password page as.
I downloaded and installed the two scripts referenced on the page:
http://www.mjdigital.co.uk/blog/ldap-authentication-active-directory-using-php/#comments
I am able to modify these scripts, and get both a LDAP test page, and an LDAPS test page....
(I get an error...but it's a SizeLimit error...)
#################output of LDAPStest.php################################################
LDAP bind successful...


( ! ) Warning: ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Partial search results returned: Sizelimit exceeded in C:\wamp\www\LDAPStest.php on line 27
Call Stack
#TimeMemoryFunctionLocation
10.0006379768{main}( )..\LDAPStest.php:0
20.0215381176ldap_search ( )..\LDAPStest.php:27

Dump all data
Array
(
    [count] => 1000
    [0] => Array
        (
            [objectclass] => Array
                (
                    [count] => 2
                    [0] => top
                    [1] => group

##############################much much more###########################################
=================LDAPStest.php==============================================
<?php
set_time_limit(30);
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);
// config
$ldapserver = "ldaps://myserver.almaschools.net";
$ldapport = 636;
$ldapuser = "CN=Administrator,CN=Users,DC=Almaschools,DC=net"; 
$ldappass = "mypassword";
$ldaptree = "OU=AlmaSchools,DC=Almaschools,DC=net";
$domain = "@almaschools.net";
// connect 
$ldapconn = ldap_connect($ldapserver,$ldapport) or die("Could not connect to LDAP server.");
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
//$ldapbind = ldap_bind($ldapconn, $ldapuser.$domain, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";

$result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));
//ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);

// SHOW ALL DATA
echo '<h1>Dump all data</h1><pre>';
echo '<pre>';
print_r($data); 
echo '</pre>';

// iterate over array and print data for each entry
echo '<h1>Show me the users</h1>';
for ($i=0; $i<$data["count"]; $i++) {
//echo "dn is: ". $data[$i]["dn"] ."<br />";
echo "User: ". $data[$i]["cn"][0] ."<br />";
if(isset($data[$i]["mail"][0])) {
echo "Email: ". $data[$i]["mail"][0] ."<br /><br />";
} else {
echo "Email: None<br /><br />";
}
}
// print number of entries found
echo "Number of entries found: " . ldap_count_entries($ldapconn, $result);
} else {
echo "LDAP bind failed...";
}
}
// all done? clean up
ldap_close($ldapconn);
?> 
==============================================================
I seem to be able to connect to secure LDAP (port 636) on my AD server OK, so I am assuming that my server setup is OK.
I can connect to the AD server on port 636 from my web server using PHP, so I'm assuming that my PHP/LDAP setup is OK.
Any idea why my connection string in self service password doesn't seem to work ??
Does someone have a working AD (2008r2) config that they would be will to share ??



Hi,

first of all, setting ldap://host port is a wrong syntax. The correct syntax is ldap://host:port. port can be omitted if it is the standard port (389 for ldap://, 636 for ldaps://)

So in your case, the correct configuration would be:

$ldap_url = "ldaps://myserver.almaschools.net ";



Now, I do not understand why the connection fails in SSP and not in your sample PHP script.

What is the content of C:\OpenLDAP\sysconf\ldap.conf ?



Clément.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20130207/1c5795b6/attachment.htm>


More information about the ltb-users mailing list