stackoom
  简体   繁体   中英

PHP LDAP login script

 原文  2018-10-22 17:50:01       php/ ldap

Question

I'm new to LDAP binding script, I'm trying to check if the script I found is correct to be able to use it back on my company as LDAP authentication script, for this I'm using this https://documize.github.io/ad-ldap-test-server/ , everything seems to be working but the only way I get through the authentication is using something like this: CN=Mr Manager,CN=Users,DC=mycompany,DC=local as username. When I use the username itself for instance (Mr Manager) get the message: "Unable to login: Invalid credentials".

Something is missing, something not resolving the username but I can't get it, here the code I'm using. 

    <?php
error_reporting(E_ALL);
ini_set('display_errors', 'On');

define('DOMAIN_FQDN', 'DC=mycompany,DC=local');
define('LDAP_SERVER', 'documize-ad.eastus.cloudapp.azure.com');

if (isset($_POST['submit']))
{
    $user = $_POST['username'];
    $pass = $_POST['password']; //Pass@word1!

    $conn = ldap_connect("ldap://".LDAP_SERVER."/",389);

    if (!$conn)
        $err = 'Could not connect to LDAP server';

    else
    {
        //define('LDAP_OPT_DIAGNOSTIC_MESSAGE', 0x0032);

        ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);

        $bind = @ldap_bind($conn, $user, $pass);

        ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);

        if (!empty($extended_error))
        {
            $errno = explode(',', $extended_error);
            $errno = $errno[2];
            $errno = explode(' ', $errno);
            $errno = $errno[2];
            $errno = intval($errno);

            if ($errno == 532)
                $err = 'Unable to login: Password expired';
        }

        elseif ($bind)
        {
            $base_dn = array("CN=*,DC=". join(',DC=', explode('.', DOMAIN_FQDN)), 
                "DC=". join(',DC=', explode('.', DOMAIN_FQDN)));

            $result = ldap_search(array($conn,$conn), $base_dn, "(CN=*)");

            if (!count($result))
                $err = 'Unable to login: '. ldap_error($conn);

            else
            {
                foreach ($result as $res)
                {
                    $info = ldap_get_entries($conn, $res);

                    for ($i = 0; $i < $info['count']; $i++)
                    {
                        if (isset($info[$i]['displayName']) AND strtolower($info[$i]['displayName'][0]) == strtolower($user))
                        {
                            session_start();

                            $username = explode('@', $user);
                            $_SESSION['foo'] = 'bar';

                            // set session variables...

                            break;
                        }
                    }
                }
            }
        }
    }

    // session OK, redirect to home page
    if (isset($_SESSION['foo']))
    {
        header('Location:"index.php"');
        exit();
    }

    elseif (!isset($err)) $err = 'Unable to login: '. ldap_error($conn);

    ldap_close($conn);
}
?>
<!DOCTYPE html><head><title>Login</title></head>
<style>
* { font-family: Calibri, Tahoma, Arial, sans-serif; }
.errmsg { color: red; }
#loginbox { font-size: 12px; }
</style>
<body>
<div align="center"><img id="imghdr" src="img/logo.jpg" height="300" /><br><br><h2>CREDENTIALS</h2><br><br>

<div style="margin:10px 0;"></div>
<div title="Login" style="width:500px" id="loginbox">
    <div style="padding:10px 0 10px 0px">
    <form action="login.php" id="login" method="post">
        <table><?php if (isset($err)) echo '<tr><td colspan="2" class="errmsg">'. $err .'</td></tr>'; ?>
            <tr>
                <td>User:</td>
                <td><input type="text" name="username" style="border: 1px solid #ccc;" autocomplete="off"/></td>
            </tr>
            <tr>
                <td>Password:</td>
                <td><input type="password" name="password" style="border: 1px solid #ccc;" autocomplete="off"/></td>
            </tr>
        </table>
        <input class="button" type="submit" name="submit" value="Login" />
    </form>
    </div>
</div>
</div>
</body>
</html>

1 answers

solution1
 0  2018-10-22 18:46:03

The general way to implement a LDAP login is:

  1. Bind with an application user to the LDAP server
  2. Search for the user's entry with the user name, eg with a filter like (uid=<username>) or in case of MS AD (sAMAccountName=<username>)
  3. Use the DN of the found user entry as bind-DN in a new bind request

Security:

  1. Don't forget disambiguation check when processing user search results! Only process the login if the search returns exactly one user entry.
  2. Refuse empty password input as failed login! Some LDAP servers will happily return LDAP result code ok(0) when using empty password in a bind request.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP LDAP Login Issue Secure LDAP PHP Script? Php and Ldap Login Authentication with uid LDAP login didn't work after adding user from php script Convert conventional PHP LDAP login code to Laravel LDAP code PHP LDAP Authentication Login Page Issue start php session on successful ldap login Login to LDAP with Kerberos password from PHP PHP - Create login page with LDAP authentication PHP LDAP debug output in PHP script
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM