From a friend of mine that might have has some insight:

the LDAP_CONNECT is doing the right thing according to php.net <http://php.net>:

Returns a positive LDAP link identifier on success, or |*FALSE*|on error. When OpenLDAP 2.x.x is used, *ldap_connect()* will always return a resource <http://www.php.net/manual/en/language.types.resource.php> as it does not actually connect but just initializes the connecting parameters. The actual connect happens with the next calls to ldap_* funcs, usually with ldap_bind() <http://www.php.net/manual/en/function.ldap-bind.php>.

Easily, the number one & two reasons LDAP does not work on AD is that it is not exposed or the VLAN is restricting access to it.


--

Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects



-----------------------


The environment is a single server running Win Server 2008 R2 Standard

with SP1 with Apache 2.2 and PHP 5.3.19.


I have a PHP script that attempts to do an LDAP bind to the Win Server

2008 R2 Active Directory and fails no matter what variations I try. I

put in a lot of echos to see the results at each step, and I've

discovered that ldap_connect ALWAYS connects. I can put total garbage

in the URL and it never fails. The latest iteration of my PHP script

does an anonymous bind, then does an ldap_search, which fails.


Here's the script (actual domain, user& pswd changed):


<?php


define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);


ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

echo "<br>LDAP set debug level: " . ldap_errno($ad) . ' ' .

ldap_error($ad);


$LDAPhost = 'ldap://myDomain.com';

$LDAPport = '3268';

$ad = ldap_connect($LDAPhost, $LDAPport);

echo "<br>LDAP connect to $LDAPhost: " . ldap_errno($ad) . ' ' .

ldap_error($ad);


if ($ad) {


ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);

echo "<br>LDAP set protocol to version 3: " . ldap_errno($ad) .

' ' . ldap_error($ad);


ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);

echo "<br>LDAP set referrals to 0: " . ldap_errno($ad) . ' ' .

ldap_error($ad);


$bind = ldap_bind($ad);

echo "<br>LDAP bind: " . ldap_errno($ad) . ' ' . ldap_error($ad);


$baseDN = 'CN=Users,DC=myDomain,DC=com';

$filter = '(objectClass=*)';

$search = ldap_search($ad, $baseDN, $filter);

echo "<br>LDAP search $baseDN $filter: " . ldap_errno($ad) . '

' . ldap_error($ad);


if ($rec = ldap_get_entries($ad, $search)) {

echo "<br>LDAP get entries: " . ldap_errno($ad) . ' ' .

ldap_error($ad);


for ($i = 0; $i< $rec["count"]; $i++) {


echo "<br>$rec[0]['uid'][0]";

echo "<br>$rec[0]['givenname'][0]";


}


} else {

echo '<br>Record not found.';

}


ldap_close($ad);

} else {

echo '<br><br>Could not connect.';

}

?>


The displayed results are:


LDAP set debug level:

LDAP connect toldap://myDomain.com: 0 Success

LDAP set protocol to version 3: 0 Success

LDAP set referrals to 0: 0 Success

LDAP bind: 0 Success

LDAP search CN=Users,DC=myDomain,DC=com (objectClass=*): 1 Operations

error

Record not found.


I would love to know exactly what to put as the base DN, i.e. what is

ldap_bind comparing these values to? Something in Active Directory?

Something in the registry? Something else?


Searching for this stuff turns up lots of examples, but none that work

for me. Any ideas?


--

*Peter Dow* /

Dow Software Services, Inc.

909 793-9050

petercdow@xxxxxxxxx <mailto:petercdow@xxxxxxxxx> <mailto:petercdow@xxxxxxxxx>

pdow@xxxxxxxxxxxxxx <mailto:pdow@xxxxxxxxxxxxxx> <mailto:pdow@xxxxxxxxxxxxxx>/



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.