[Ltb-users] Active Directory LDAPS issue

[Scott Owen]

Greetings all,   First, I would like to thank the dev's for making self service password a GPL project !! It is exactly what I was looking for.   But I am having one problem.   For a web server I am using windows7 with WAMP  http://www.wampserver.com/en/ this appears to be setup correctly and working fine. The Self Service Password page displays correctly, with no errors.   The issue appears to be in my LDAPs connection string.   I installed ldp.exe ( http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm ) and I am able to connect to my AD server via SSL on port 636 from the Web Server. I can Bind as the Administrator, and view my entire Directory Tree.     Below is the config I am using:     #============================================================================== # Configuration #============================================================================== # LDAP $ldap_url = "ldap://myserver.almaschools.net 636"; $ldap_binddn = "cn=Administrator,CN=Users,dc=almaschools,dc=net"; $ldap_bindpw = "mypassword"; $ldap_base = "OU=AlmaSchools,DC=Almaschools,DC=net"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";       # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; # Force account unlock when password is changed $ad_options['force_unlock'] = false; # Force user change password at next login $ad_options['force_pwd_change'] = false; ~~~~~the rest of the code ===============================================================================     changing $ldap_url = "ldap://myserver.almaschools.net 636"; to $ldap_url = "ldaps://myserver.almaschools.net "; produces the following Apache error:   "LDAP - Bind error -1 (Can't contact LDAP server)"       changing $ldap_url = "ldap://myserver.almaschools.net 636"; to $ldap_url = "ldaps://myserver.almaschools.net 636 "; produces the following Apache error:   "LDAP - User xxxxxx not found, referer:" where xxxxx is the user that I attempt to login to the Self Service Password page as.         I downloaded and installed the two scripts referenced on the page: http://www.mjdigital.co.uk/blog/ldap-authentication-active-directory-using-php/#comments     I am able to modify these scripts, and get both a LDAP test page, and an LDAPS test page.... (I get an error...but it's a SizeLimit error...)   #################output of LDAPStest.php################################################   LDAP bind successful... ( ! ) Warning: ldap_search() [<a href=''>function.ldap-search</a>]: Partial search results returned: Sizelimit exceeded in C:\wamp\www\LDAPStest.php on line 27 Call Stack # Time Memory Function Location 1 0.0006 379768 {main}( ) ..\LDAPStest.php:0 2 0.0215 381176 ldap_search ( ) ..\LDAPStest.php:27 Dump all data Array ( [count] => 1000 [0] => Array ( [objectclass] => Array ( [count] => 2 [0] => top [1] => group   ##############################much much more###########################################       =================LDAPStest.php==============================================   <?php set_time_limit(30); error_reporting(E_ALL); ini_set('error_reporting', E_ALL); ini_set('display_errors',1);   // config $ldapserver = "ldaps://myserver.almaschools.net"; $ldapport    = 636; $ldapuser      = "CN=Administrator,CN=Users,DC=Almaschools,DC=net";  $ldappass     = "mypassword"; $ldaptree    = "OU=AlmaSchools,DC=Almaschools,DC=net";   $domain        = "@almaschools.net";   // connect $ldapconn = ldap_connect($ldapserver,$ldapport) or die("Could not connect to LDAP server.");   if($ldapconn) {     // binding to ldap server     $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));     //$ldapbind = ldap_bind($ldapconn, $ldapuser.$domain, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));     // verify binding     if ($ldapbind) {         echo "LDAP bind successful...<br /><br />";                 $result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));         //ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));  $data = "" $result);                 // SHOW ALL DATA         echo '<h1>Dump all data</h1><pre>';         echo '<pre>';         print_r($data);            echo '</pre>';                 // iterate over array and print data for each entry         echo '<h1>Show me the users</h1>';         for ($i=0; $i<$data["count"]; $i++) {             //echo "dn is: ". $data[$i]["dn"] ."<br />";             echo "User: ". $data[$i]["cn"][0] ."<br />";             if(isset($data[$i]["mail"][0])) {                 echo "Email: ". $data[$i]["mail"][0] ."<br /><br />";             } else {                 echo "Email: None<br /><br />";             }         }         // print number of entries found         echo "Number of entries found: " . ldap_count_entries($ldapconn, $result);     } else {         echo "LDAP bind failed...";     }   }   // all done? clean up ldap_close($ldapconn); ?> ==============================================================         I seem to be able to connect to secure LDAP (port 636) on my AD server OK, so I am assuming that my server setup is OK. I can connect to the AD server on port 636 from my web server using PHP, so I'm assuming that my PHP/LDAP setup is OK.   Any idea why my connection string in self service password doesn't seem to work ?? Does someone have a working AD (2008r2) config that they would be will to share ??   TIA,   -Scott Owen Alma Public Schools

_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users