Re: [Ltb-users] Active Directory LDAPS issue

[Scott Owen]

Got it !!!!   I have a suspicion that I may have had a couple issues.   I changed the $ldap_url line as per your suggestion...   $ldap_url = "ldaps://myserver.almaschools.net "; I was then getting this error: LDAP - User XXXXXX not found, referer:   After looking at the "change.php" code, I realized that this error was AFTER the LDAPS bind etc.... and seemed to be a search error... I went back to the config.inc.php file and verified that I had entered the appropriate base variable.   I had downloaded a better text editor (and quit using wordpad/notepad), to read the "change.php" code, and as soon as I opened and saved the config.inc.php file, everything started magically working.   I strongly suspect that I had a errant carriage return or space somewhere in the code, that just opening and closing the file with a REAL editor fixed the issue.   Thank you for your help, and thank you again for the wonderful scripts.   -Scott Owen Alma Public Schools               >>> Clément OUDOT<clem.ou...@gmail.com> 2/7/2013 3:33 AM >>> 2013/2/6 Scott Owen <so...@edzone.net> Greetings all, First, I would like to thank the dev's for making self service password a GPL project !! It is exactly what I was looking for. But I am having one problem. For a web server I am using windows7 with WAMP http://www.wampserver.com/en/ this appears to be setup correctly and working fine. The Self Service Password page displays correctly, with no errors. The issue appears to be in my LDAPs connection string. I installed ldp.exe ( http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm ) and I am able to connect to my AD server via SSL on port 636 from the Web Server. I can Bind as the Administrator, and view my entire Directory Tree. Below is the config I am using: #============================================================================== # Configuration #============================================================================== # LDAP $ldap_url = "ldap://myserver.almaschools.net 636"; $ldap_binddn = "cn=Administrator,CN=Users,dc=almaschools,dc=net"; $ldap_bindpw = "mypassword"; $ldap_base = "OU=AlmaSchools,DC=Almaschools,DC=net"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; # Force account unlock when password is changed $ad_options['force_unlock'] = false; # Force user change password at next login $ad_options['force_pwd_change'] = false; ~~~~~the rest of the code =============================================================================== changing $ldap_url = "ldap://myserver.almaschools.net 636"; to $ldap_url = "ldaps://myserver.almaschools.net "; produces the following Apache error: "LDAP - Bind error -1 (Can't contact LDAP server)" changing $ldap_url = "ldap://myserver.almaschools.net 636"; to $ldap_url = "ldaps://myserver.almaschools.net 636 "; produces the following Apache error: "LDAP - User xxxxxx not found, referer:" where xxxxx is the user that I attempt to login to the Self Service Password page as. I downloaded and installed the two scripts referenced on the page: http://www.mjdigital.co.uk/blog/ldap-authentication-active-directory-using-php/#comments I am able to modify these scripts, and get both a LDAP test page, and an LDAPS test page.... (I get an error...but it's a SizeLimit error...) #################output of LDAPStest.php################################################ LDAP bind successful... ( ! ) Warning: ldap_search() [<a href=''>function.ldap-search</a>]: Partial search results returned: Sizelimit exceeded in C:\wamp\www\LDAPStest.php on line 27 Call Stack # Time Memory Function Location 1 0.0006 379768 {main}( ) ..\LDAPStest.php:0 2 0.0215 381176 ldap_search ( ) ..\LDAPStest.php:27 Dump all data Array ( [count] => 1000 [0] => Array ( [objectclass] => Array ( [count] => 2 [0] => top [1] => group ##############################much much more########################################### =================LDAPStest.php============================================== <?php set_time_limit(30); error_reporting(E_ALL); ini_set('error_reporting', E_ALL); ini_set('display_errors',1); // config $ldapserver = "ldaps://myserver.almaschools.net"; $ldapport = 636; $ldapuser = "CN=Administrator,CN=Users,DC=Almaschools,DC=net"; $ldappass = "mypassword"; $ldaptree = "OU=AlmaSchools,DC=Almaschools,DC=net"; $domain = "@almaschools.net"; // connect $ldapconn = ldap_connect($ldapserver,$ldapport) or die("Could not connect to LDAP server."); if($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)); //$ldapbind = ldap_bind($ldapconn, $ldapuser.$domain, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn)); // verify binding if ($ldapbind) { echo "LDAP bind successful...<br /><br />"; $result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn)); //ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn)); $data = "" $result); // SHOW ALL DATA echo '<h1>Dump all data</h1><pre>'; echo '<pre>'; print_r($data); echo '</pre>'; // iterate over array and print data for each entry echo '<h1>Show me the users</h1>'; for ($i=0; $i<$data["count"]; $i++) { //echo "dn is: ". $data[$i]["dn"] ."<br />"; echo "User: ". $data[$i]["cn"][0] ."<br />"; if(isset($data[$i]["mail"][0])) { echo "Email: ". $data[$i]["mail"][0] ."<br /><br />"; } else { echo "Email: None<br /><br />"; } } // print number of entries found echo "Number of entries found: " . ldap_count_entries($ldapconn, $result); } else { echo "LDAP bind failed..."; } } // all done? clean up ldap_close($ldapconn); ?> ============================================================== I seem to be able to connect to secure LDAP (port 636) on my AD server OK, so I am assuming that my server setup is OK. I can connect to the AD server on port 636 from my web server using PHP, so I'm assuming that my PHP/LDAP setup is OK. Any idea why my connection string in self service password doesn't seem to work ?? Does someone have a working AD (2008r2) config that they would be will to share ?? Hi, first of all, setting ldap://host port is a wrong syntax. The correct syntax is ldap://host:port. port can be omitted if it is the standard port (389 for ldap://, 636 for ldaps://) So in your case, the correct configuration would be: $ldap_url = "ldaps://myserver.almaschools.net "; Now, I do not understand why the connection fails in SSP and not in your sample PHP script. What is the content of C:\OpenLDAP\sysconf\ldap.conf ? Clément.

_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users