how connect to ldap with ldap_sasl_bind in php

Question

I have on LDAP this user: uid=user,ou=People,dc=ex,dc=com I connect to LDAP server with

$con = ldap_connect('ldap://ex.com');
ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($con, LDAP_OPT_REFERRALS, 0);

I try bind with ldap_sasl_bind:

ldap_sasl_bind($con, 'uid=user,ou=People,dc=ex,dc=com', 'secret', 'DIGEST-MD5');

not work - "Invalid credentials"

ldap_sasl_bind($con, NULL, 'secret', 'DIGEST-MD5', NULL, 'uid=user,ou=People,dc=ex,dc=com');

same result - "Invalid credentials"

ldap_bind($con, 'uid=user,ou=People,dc=ex,dc=com', 'secret')

work fine

Answer 1

When using a low-security SASL method like DIGEST-MD5 , the server must be able to get the clear-text password from the entry named by the distinguished name. This means the password must be stored in clear text or with a reversible encryption (this reduces the security if the entry, one reason DIGEST-MD5 should considered low-security and avoided unless required by the LDAP client; LDAP clients should prefer simple authentication using a secure connection).

Check to be sure the entry for uid=user,ou=People,dc=ex,dc=com has the password secret available to the server, that is, the password storage scheme is either clear-text or a reversible encryption as noted above. If a reversible encryption is used, the strongest method should be used, which I believe is AES .