getting error when authenticate against active directory with php ldap

Question

i have made a simple login form in html/php 1.6 to authenticate against my active directory 2012r2 and when i try to login sometimes i get this error when i execute ldap_search in php: (without change the code or configurations)

000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580**

the error said that i have to be authenticated to perform an ldap search but user and password are good.

here the code:

 $srv="ldaps://server.domain";
 $port=636;
 $ldap=ldap_connect($srv,$port) 
 ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
 ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
 ldap_bind($ldap,"DOMAIN\adminsuer",$password)
 $mesg1=ldap_search($basedn,"(&(objectCategory=person)(sAMAccountName=$username))",array('sAMAccountName', 'cn', 'sn', 'givenName', 'pwdLastSet', 'userAccountControl', 'pager', 'employeeNumber'));

where is the problem?

----EDIT----

after a long time I came back to face the problem. I also tried as the php.net site says, but nothing good. my problem is that the bind on ldap works but then when I do a search on active directory, this returns the error specified above. this problem happens rarely and disappears after some time that happens (about next 5->30 minutes)

....
ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
$bind=@ldap_bind($ldap,$adminuserdn,$adminpass);
if ($bind) {
   logga2("bind admin OK");
   $mesg1=ldap_search($ldap,$basedn,"(&(objectCategory=person)(sAMAccountName=$username))",array('sAMAccountName', 'cn', 'sn', 'givenName', 'pwdLastSet', 'userAccountControl', 'pager', 'employeeNumber'));
   if ($mesg1) {
         ....
   }
   ....
}
....

questo problema lo verifico anche con script perl e con un programma per windows che si chiama ldapadmin ( http://www.ldapadmin.org/ ) opportunamente configurato per collegarsi agli ldap dei vari domain controller.

Answer 1

You did not check if you successfully bound to the LDAP connection using the credentials you supplied. You are also lacking a semi-colon behind your ldap_bind() .

Updated code

With some error handling, this should give you details regarding the binding problem:

$srv="ldaps://server.domain";
$port=636;
$ldap=ldap_connect($srv,$port);
if ($ldap) { 
    ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
    ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
    $bindSuccess= ldap_bind($ldap,"DOMAIN\adminsuer",$password);
    if ($bindSuccess) {
         $mesg1=ldap_search($basedn,"(&(objectCategory=person)(sAMAccountName=$username))",array('sAMAccountName', 'cn', 'sn', 'givenName', 'pwdLastSet', 'userAccountControl', 'pager', 'employeeNumber'));
    } else {
        print "Bind failed";
    }
} else {
    print "Connect failed.";
}

// don't print this as part of your HTML as it may reveal server internal data, log it to file/syslog instead:
$error1= ldap_error($ldap);
ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $error2);
print sprintf('The errors %s and %s were encountered while binding.', $error1, $error2);

Read more about error checking on LDAP errors on PHP.net .