PHP - Ldap Authentication Help

Hi guys,
I have this problem and id appreciate all your advice in helping solve it.

I'm working on a service with is "cloud" hosted.
However I want it so when a person employed by Corporation A logs onto myservice.corporationa.com they enter their Corporation A LDAP details but somehow that sends them to myservice.com and authenticates them. I know how to do the get LDAP details part to put on myservice.corporationa.com but no idea how to do the rest and make it send back etc.

Any ideas?

Many many thanks in advance.

(PS - If this all makes sense please do let me know)

I'm using Active Directory and PHP with LDAP.

I have been trying to create a script that will list all the members of each group in a OU.  When I run this script in an OU with Users, it will return an array with all the available attributes of each User.  However when I use it with a group, it doesn't return any attributes of the group.

Code: [Select]
<?php
$ig_ldaphost="LDAP://domain/"; //filtered for security
$ig_ldapou="OU=Drive Security,OU=Groups,DC=this,DC=and,dc=that"; //filtered for security

$ig_ldapconn=ldap_connect($ig_ldaphost)
    or die("Could not connect to {$ig_ldaphost}");
$ig_ldapopt=ldap_set_option($ig_ldapconn,LDAP_OPT_PROTOCOL_VERSION,3)
    or die("Could not set options: {$ig_ldapopt}");
$ig_ldapbind=ldap_bind($ig_ldapconn)
    or die("Could not bind: {$ig_ldapbind}");
   
$ig_ldapsearch=ldap_search($ig_ldapconn,$ig_ldapou,"objectClass=*");

for ($ig_ldapentry=ldap_first_entry($ig_ldapconn,$ig_ldapsearch);$ig_ldapentry!=FALSE;$ig_ldapentry=ldap_next_entry($ig_ldapconn,$ig_ldapentry))
{
    $ig_ldapvalues=ldap_get_attributes($ig_ldapconn,$ig_ldapentry);
   $ig_ldapdn=ldap_explode_dn(ldap_get_dn($ig_ldapconn,$ig_ldapentry),1);
   echo "/".$ig_ldapdn[1]."/".$ig_ldapdn[0]."<br />";
   var_dump($ig_ldapvalues);
   echo "<br /><br />";
}
ldap_close($ig_ldapconn);
?>
Can anyone help with this?

I am having trouble using ldap_start_tls().

I am using the same code I have seen in a dozen different forums:

$ds = ldap_connect($ldap['host'],$ldap['port']); 
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_start_tls($ds);
ldap_bind($ds,$ldap['user'],$ldap['pass'])
ldap_close($ds);

but I still receive the same error message: Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error

The LDAP authentication had been working fine without the ldap_start_tls.

I feel like I must have missed something big - is ldap_start_tls() dependent on having a local certificate? is OpenSSL a pre-requisite? I've seen lots of discussions turn towards OpenLDAP, but I had assumed this was only on the target server. Can anyone confirm that?

Any help would greatly appreciated.
Darren

Hi I am finding that I get a random LDAP search fail the initial time i run a script against 2008R2 when I refresh all is ok ? PHP 5.2.5 get the same thing with the latest version of PHP. any ideas ? its as if the DC is sleeping until you give it a nudge, running on 2008R2 running on vmware.

Hi,
I'm working with the LDAP directory, and using PHP to access it.

I am able to extract the name, departments and phone nos. from the directory.

On the display page, i am looking to make the name column sort A-Z. (Like the "name" will be clickable and will sort the names from A-Z and Z-A )

Would appreciate if someone could suggest approaches to achieve this using PHP

Thanks

Hi Everyone,

Hopefully someone will be able to assist with my problem. Basically, my situation is that we have a server which hosts multiple websites using multiple IP address. One of the new sites we are moving to this server needs an LDAP connection outside of our network. The outside LDAP has already been enabled to accept requests from the specific IP assigned to this site. However, other sites on this server are using other IP addresses.

It seems as if the LDAP authentication request is getting sent by a IP address which is not authorized by the firewall on the outside LDAP server. Thus trouble authenticating.

So, my question is, is there a way to force the ldap_bind request to use a specific IP address to send the request for authentication? Supposedly this can be done using an event handler. However, I don't have much experience with event handlers so am not sure how to go about doing this.

I would appreciate any help or ideas to resolve this situation. Thanks!

- Jodie

Hi,
I am trying to search the employeeid value taken from an mssql db against a LDAP database.
It works but when it cannot found the employeeid on the LDAP db it stops with this error:

Catchable fatal error: Object of class variant could not be converted to string in ldap2.php on line 101

Here is the code.
i've tried with ->value without success .

Please help me.

do {
$sql = "SELECT EMPL.MATR
FROM DOS
ORDER BY DOS.MATR";
 
$result = mssql_query($sql);
while ($myrow = mssql_fetch_array($result))
{

$matr = $myrow['MATR'];
$matr = intval($matr);

//echo $matr;

$strRS = "Select givenname,sn,displayName,mail,SAMAccountName,employeeid,cn from 'LDAP://dom.local/DC=dom,DC=local' where objectClass='user' and employeeid='$matr'";

$RS->Open($strRS, $Conn, 1, 1);
echo $RS['cn'];
echo "<br>";

$RS->Close;

}

$item++; // iterate count through ldapresults

}
while ($item < $Result['count']);
echo '<hr />';
$Conn->Close;

I am new to PHP. I have been trying to do some research online for a few days and not getting very far. I feel like I know less now than I did before I started.

Here's the story:

I've set up a LAMP server that runs a Wiki and AppGini (http://www.bigprof.com/appgini/) - AppGini allows you to "Create web database applications instantly without writing any code" - The only downside we have with it, is it's got it's own set of user accounts. My team all logs in with the default admin account which isn't a big deal but we'd prefer to use LDAP to AD for reasons I won't get into right now.

I emailed AppGini support and asked about LDAP integration. Their response was that it's "a little bit of work" and "You can modify the login authentication function to authenticate using LDAP ... please see the example code he http://code.activestate.com/recipes/101525-ldap-authentication/ (needs some modifications to work with AppGini)"

I've googled around and found 2 dozen different LDAP PHP samples. I've gotten some of them to work. By work I mean they connect to my domain controller and say "success" I'm not actually logged into anything.

So I'm looking for a little help from square one. I need to have a better understanding of how things are supposed to work so I know where I'm supposed to go with all of this. Where do I start? What do I do? What would YOU do?


This is the current "index.php" that logs you into the site.
Code: [Select]
<?php

error_reporting(E_ALL ^ E_NOTICE);
$d=dirname(__FILE__);
include("$d/defaultLang.php");
include("$d/language.php");
include("$d/incCommon.php");
$x->TableTitle=$Translation['homepage'];
include("$d/header.php");

if($_GET['signOut']==1){
logOutMember();
}

$tablesPerRow=2;
$arrTables=getTableList();

?>
<div align="center"><table cellpadding="8">
<?php if($_GET['loginFailed']==1 || $_GET['signIn']==1){ ?>
<tr><td colspan="2" align="center">
<?php if($_GET['loginFailed']){ ?>
<div class="Error"><?php echo $Translation['login failed']; ?></div>
<?php } ?>
<form method="post" action="index.php">
<table border="0" cellspacing="1" cellpadding="4" align="center">
<tr>
<td colspan="2" class="TableHeader">
<div class="TableTitle"><?php echo $Translation['sign in here']; ?></div>
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['username']; ?>
</td>
<td align="left" class="TableBody">
<input type="text" name="username" value="" size="20" class="TextBox">
</td>
</tr>
<tr>
<td align="right" class="TableHeader">
<?php echo $Translation['password']; ?>
</td>
<td align="left" class="TableBody">
<input type="password" name="password" value="" size="20"class="TextBox">
</td>
</tr>
<tr>
<td colspan="2" align="right" class="TableHeader">
<span style="margin: 0 20px;"><input type="checkbox" name="rememberMe" id="rememberMe" value="1"> <label for="rememberMe"><?php echo $Translation['remember me']; ?></label></span>
<input type="submit" name="signIn" value="<?php echo $Translation['sign in']; ?>">
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['go to signup']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['forgot password']; ?>
<br /><br />
</td>
</tr>
<tr>
<td colspan="2" align="left" class="TableHeader">
<?php echo $Translation['browse as guest']; ?>
<br /><br />
</td>
</tr>
</table>
</form>
<script>document.getElementsByName('username')[0].focus();</script>
</td></tr>
<?php } ?>
<?php
if(!$_GET['signIn'] && !$_GET['loginFailed']){
if(is_array($arrTables)){
if(getLoggedAdmin()){
?><tr><td colspan="<?php echo ($tablesPerRow*3-1); ?>" class="TableTitle" style="text-align: center;"><a href="admin/"><img src=table.gif border=0 align="top"></a> <a href="admin/" class="TableTitle" style="color: red;"><?php echo $Translation['admin area']; ?></a><br /><br /></td></tr><?php
}
$i=0;
foreach($arrTables as $tn=>$tc){
$tChk=array_search($tn, array());
if($tChk!==false && $tChk!==null){
$searchFirst='?Filter_x=1';
}else{
$searchFirst='';
}
if(!$i % $tablesPerRow){ echo '<tr>'; }
?><td valign="top"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?>><img src=<?php echo $tc[2];?> border=0></a></td><td valign="top" align="left"><a href=<?php echo $tn; ?>_view.php<?php echo $searchFirst; ?> class="TableTitle"><?php echo $tc[0]; ?></a><br /><?php echo $tc[1]; ?></td><?php
if($i % $tablesPerRow == ($tablesPerRow - 1)){ echo '</tr>'; }else{ echo '<td width="50">&nbsp;</td>'; }
$i++;
}
}else{
?><tr><td><div class="Error"><?php echo $Translation['no table access']; ?><script language="javaScript">setInterval("window.location='index.php?signOut=1'", 2000);</script></div></td></tr><?php
}
}
?>

</table><br /><br /><div class="TableFooter"><b><a href=http://bigprof.com/appgini/>BigProf Software</a> - <?php echo $Translation['powered by']; ?> AppGini 4.61</b></div>

</div>
</html>

Hi all,

I have an authentication part on my website that checks every page through a session variable if a user is logged in and which user it is.
When I test my code on my computer it works perfectly registration and login goes smooth but when someone on another computer tries it they get the acces denied page.... does anyone know why???

Greets Ryflex

I am currently doing the following but wish to change to using JWTs.

A webserver is running some CRM system which has its own authentication system and browsers can access public routes without logging and but must log on first to access private routes. All the routes on the webserver which are prefixed by "api" will be forwarded to specific REST API along with an "account" GUID in the header and the user's ID if it exists. For the routes that require a user to be logged in, the webserver will first check if a session exists, and if not make a preliminary GET request to the REST API which includes the GUID as well as the user's ID and encrypted password (both based on the webserver's CRM DB) in the URL.  Not sure whether anything is possible by including the hashed password and am currently not doing anything with it.  The REST API queries the DB using the GUID and webserver's user ID and returns the REST API's users ID and the webserver stores it in a session. The REST API receives the GUID and potentially the REST API's user ID and queries the DB to retrieve the account and potentially user before executing the route, and returns the response to the webserver which it returns it to the browser.

The new approach might be something like the following:

Before the webserver forwards any request to the REST API, it checks if a session is set, and if not performs a GET request to the REST API along with the GUID and if known user's credentials in the URL and receives a JWT which contains a payload including the account PK, and potentially the user PK, user's access level, etc. All future requests include this JWT in the header. The REST API no longer queries the DB to get the account ID and user authorized settings as it is provided in the JWT.

A couple of questions:

What should be done if a non-logged on user first accesses a public route, gets a JWT, and stores it in a session, but then later logs on and accesses a private route?  The webserver thinks it has a valid JWT and will send it but the REST API will then decrypt it and find there is no user it.  One option is for the webserver to use two sessions, but this sounds kludgy.  Or maybe the REST API returns some header which instructs the webserver to re-authenticate, but not sure if even an option, and if so how to cleanly prevent some loop.  Also, would it be necessary to issue a new JWT or can the payload in a JWT be changed? Is GET appropriate for requesting the JWT's or should I use some other method? Is it appropriate to include the user's access level in the JWT payload?  Will one need to wait until the JWT has expired before their access level changes? Any ideas how to deal with using the user's password on the CRM to also authenticate on the REST API?  The GUID is probably secret enough for the application and if an issue, can just use the GUID and username. Am I going down an reasonable path and anything else obvious I should be considering?

Thanks!

Ive put together a PHP/MySQLi login script for my site.

However I was wandering:
    1. Does Facebook use PHP Cookies or Sessions for their login? (Figured out my own answer )
    2. How does FB set the Cookie/Session so that when I log into facebook.com I am also logged into developers.facebook.com

Thanks in advance.

Dera All,

SAMPLE TABLE FIELDS AND DATAS:

USER   PASSWORD   ACCNO   AMOUNT      INTEREST

JOE      JOE@123      1234      4500.00      250.00
SAM      SAM123      5678      12050.00      350.00
RAM      RAM987      8521      15698.00      568.00
MARY   MARY786      7542      14879.00      567.00
RAJ      RAJ876      8531      45622.00      1500.00


FIRST PAGE:


USER NAME  :    RAM

PASSWORD  :   ********   

   SUBMIT



SECOND PAGE:



ACCOUNT      NO    8521



THIRD PAGE:



HI WELCOME RAM  UR BALACE AND INTEREST IS

BALANCE :    15698.00
INTEREST :    568.00

HI AM NEW TO PHP. I need the code for above page. If the user only authenticate to view his accounts. Others not possible to view the other accounts

I have had a problem with people attacking my site and trying to gain access to users accounts so i beefed up security, however now users are complaining they keep getting logged out.

Here are the variables i use to validate the users and i dont want to strip them down any more can anyone give me any ideas for changing them so its still secure but not so strict as to keep logging the users out?

1. Username & password is encrypted into a cookie and verified on every page they visit.
2. There ip address is recorded on login and is checked against there current ip, on every page they visit via MySql.
3. When the user logs in a unix time stamp (mySql) is generated an updated of every page they visit and if it has not been updated in the last 60 mins the user is logged out.
4.I also generate a random key which is stored in the DB and is passed on every page via GET.
5.If a user tries to login and fails an email is sent to them and if 3 unsuccessful attempts user is locked out for 30mins.