使用ldap / php查询AD

Question

Background Information

I'm trying to figure out how to query our active directory server for information about users / groups via a php web application. (let's call it the "widget app". Ultimately, I'm going to use this information to try to "see" what fields / data is available in AD to check / use as a part of authentication besides just username and password. For example, I only want to allow people in specific AD groups ... etc.

I'm using this as an example: http://php.net/manual/en/ldap.examples-basic.php

Problem

Unfortunately, I'm getting zero results... even when I use my AD username as the filter.

this is what my results look like:

Connecting ...connect result is Resource id #26
Binding ...Bind result is 1
Searching for (sn=myusername*) ...Search result is Resource id #27

Getting entries ...
Data for 0 items returned:

What I've tried so far:

We have another web application that's running on the same web server as the widget app. This other application is set up so that apache will prompt for AD credentials. I know it works because when I try to authenticate myself on this secondary application, my AD credentials are authenticated and i'm given the authorization I need to use the application.

So I started to poke around the apache conf and tried to make sure my PHP code is using the same values.

The Code

Here's the PHP code that's currently failing:

public function ldap_test() {
            echo "<h3>LDAP query test</h3>";
            echo "Connecting ...";
            $ds=ldap_connect("10.11.11.1111");  // must be a valid LDAP server!
            echo "connect result is " . $ds . "<br />";

            if ($ds) {
                echo "Binding ...";
                //$r=ldap_bind($ds);
$r=ldap_bind($ds,"CN=testvalue1,OU=Services,OU=Accounts,DC=td,DC=ab,DC=org", "somepasswordvalue"); 
                // read-only access
                echo "Bind result is " . $r . "<br />";
                echo "Searching for (sn=myusername*) ...";

                // Search surname entry
                $sr=ldap_search($ds, "CN=testvalue1,OU=Services,OU=Accounts,DC=td,DC=ab,DC=org", "somepasswordvalue", "(sAMAccountName=myusername*)");
                echo "Search result is " . $sr . "<br />";

                echo "Number of entries returned is " . ldap_count_entries($ds, $sr) . "<br />";

                echo "Getting entries ...<p>";
                $info = ldap_get_entries($ds, $sr);
                echo "Data for " . $info["count"] . " items returned:<p>";

                for ($i=0; $i<$info["count"]; $i++) {
                    echo "dn is: " . $info[$i]["dn"] . "<br />";
                    echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
                    echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
                }
                echo "Closing connection";
                ldap_close($ds);
            } else {
                echo "<h4>Unable to connect to LDAP server</h4>";
            }
    }

Apache configuration that I used to build my PHP code: (this config works and properly prompts me for my AD credentials and authenticates properly)

<AuthnProviderAlias ldap ldap-test>
    AuthLDAPBindDN "CN=testvalue1,OU=Services,OU=Accounts,DC=td,DC=ab,DC=org"
    AuthLDAPBindPassword somepasswordvalue
    AuthLDAPURL "ldap://10.11.11.111/ou=Accounts,dc=td,dc=ab,dc=org?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPMaxSubGroupDepth 5
</AuthnProviderAlias>

This is the first time I've tried to do AD authentication in PHP and I'm not the one who manages our AD implementations so I'm fairly green. If you have any suggestions for me please feel free.

Thanks

Answer 1

The problem was that I was filtering by a common name. Notice this:

 AuthLDAPBindDN "CN=testvalue1,OU=Services,OU=Accounts,DC=td,DC=ab,DC=org"

So to fix it , i just had to remove this from the filter and it worked.

 AuthLDAPBindDN "OU=Services,OU=Accounts,DC=td,DC=ab,DC=org"