LDAP Can't perform an authenticated bind - Windows Server 2008 R2 Using PHP/Apache
Okay, after much investigation I have turned on error info using ldap_errno()
and ldap_error()
and found it bringing back the error 'Strong(er) authentication required' have discovered two possible solutions;
Adjust Group Policy Settings
- Negotiate Signing (Network security: LDAP client signing requirements)
No signing requirements (Domain Controller: LDAP server signing requirements)
Result: Managed to bind successfully and when I enter the username or password incorrectly and it throws an 'Invalid credentials' as expected.
Enable LDAP over SSL (LDAPS)
- http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html
- http://support.microsoft.com/kb/321051
Related videos on Youtube
Matt
Updated on September 18, 2022Comments
-
Matt almost 2 years
I'm having issues performing an authenticated bind against the server. The issues doesn't appear to be in code however maybe a server issue.
Just so you know;
- LDAP is enabled in Apache/PHP
- I'm connecting as [email protected]
- The domain controller has LDAP running and an entry in the firewall (Windows Server 2008 R2) The issue might be here, this was setup as a DC and is running LDAP by default. I did no special configuration on LDAP
- I can perform an anonymous bind but not an authenticated one
I can bind anonymously using this script;
$ldapconn = ldap_connect("machinename.domain.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding anonymously $ldapbind = ldap_bind($ldapconn); if ($ldapbind) { echo "LDAP bind anonymous successful..."; } else { echo "LDAP bind anonymous failed..."; } }
However when I try to do an authenticated bind using this script, it fails.
// Authenticated Bind $ldaprdn = '[email protected]'; // ldap rdn or dn $ldappass = 'password'; // associated password // connect to ldap server $ldapconn = ldap_connect("machinename.domain.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LDAP bind successful..."; } else { echo "LDAP bind failed..."; } }
Where am I going wrong?
-
jscott about 11 years"[email protected]" is neither an RDN or DN, it could be a user's UPN though. Try it without the "@domain.com" or get the full DN of the object, something like "CN=username,OU=something,DC=example,DC=com". It also may help if you updated your question to detail which error message your seeing.
-
Matt about 11 yearsThanks for the help guys, I've found a solution and I'll post it up shortly.