RE: [PHP] LDAP, Active Directory, and permissions
From: Chris Knipe I've found various sources and are successfully manipulating Active Directory from PHP on our Domain Controller - frankly, things works much better than I expected :) I have now reached the point where I need to set permissions on objects in Active Directory, i.e. to restrict read permissions to certain OUs and objects within the directory (mainly related to Exchange stuff). Is there anything in PHP which can be used to set permissions on AD objects? I haven't found any reference to doing this anywhere, so I thought I'd give it a chance here... If not, then I suppose I'll have to code some ..NET application to act as a gateway between the PHP interface and Active Directory, but naturally I would like to do as much as possible from within PHP itself. I don't know about your IT group, but around here and at any of our clients, they will never allow anyone outside their office modify access rights, or add users. It takes a written request by a manager or above to get them to make any changes, and each request must include the reasons for the change. No we cannot use the master LDAP server for testing. We have a couple of OpenLDAP servers isolated on our test networks for that. But even those have to be managed directly. No application is allowed to do more than retrieve data. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP, Active Directory, and permissions
-Original Message- From: Bob McConnell [mailto:r...@cbord.com] Sent: Wednesday, December 01, 2010 5:23 AM To: Chris Knipe; php-general@lists.php.net Subject: RE: [PHP] LDAP, Active Directory, and permissions From: Chris Knipe I've found various sources and are successfully manipulating Active Directory from PHP on our Domain Controller - frankly, things works much better than I expected :) I have now reached the point where I need to set permissions on objects in Active Directory, i.e. to restrict read permissions to certain OUs and objects within the directory (mainly related to Exchange stuff). Is there anything in PHP which can be used to set permissions on AD objects? I haven't found any reference to doing this anywhere, so I thought I'd give it a chance here... If not, then I suppose I'll have to code some ..NET application to act as a gateway between the PHP interface and Active Directory, but naturally I would like to do as much as possible from within PHP itself. I don't know about your IT group, but around here and at any of our clients, they will never allow anyone outside their office modify access rights, or add users. It takes a written request by a manager or above to get them to make any changes, and each request must include the reasons for the change. No we cannot use the master LDAP server for testing. We have a couple of OpenLDAP servers isolated on our test networks for that. But even those have to be managed directly. No application is allowed to do more than retrieve data. Bob McConnell It's the same with my past work environments. All changes (except password) must be requested prior and is recorded. It seems that Chris' environment is too wide open and easily hackable. Chris, just an FYI, the majority of the hacks are done from the inside of the network. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP, Active Directory, and permissions
-Original Message- From: ckn...@savage.za.org [mailto:ckn...@savage.za.org] On Behalf Of Chris Knipe Sent: Tuesday, November 30, 2010 4:47 AM To: php-general@lists.php.net Subject: [PHP] LDAP, Active Directory, and permissions Hi, I've found various sources and are successfully manipulating Active Directory from PHP on our Domain Controller - frankly, things works much better than I expected :) I have now reached the point where I need to set permissions on objects in Active Directory, i.e. to restrict read permissions to certain OUs and objects within the directory (mainly related to Exchange stuff). Is there anything in PHP which can be used to set permissions on AD objects? I haven't found any reference to doing this anywhere, so I thought I'd give it a chance here... If not, then I suppose I'll have to code some ..NET application to act as a gateway between the PHP interface and Active Directory, but naturally I would like to do as much as possible from within PHP itself. Many thanks, -- Regards, Chris Knipe Chris, 1) Shouldn't the OU security permissions be set within the AD itself? 2) If the above is done, then the user account that's being authenticated shouldn't be able to access privileged information. Just curious, are you using phpldapadmin? Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP, Active Directory, and permissions
Hi, Chris, 1) Shouldn't the OU security permissions be set within the AD itself? 2) If the above is done, then the user account that's being authenticated shouldn't be able to access privileged information. 1) Not sure. The permissions I'm after is similar to that of NTFS permissions on the file system. Essentially, it is a way to restrict an application to read certain OU's or Objects completely, making it invisible. FYI... http://technet.microsoft.com/en-us/library/cc785913(WS.10).aspx 2) This is completely irrelevant to authentication. See point 1 above. Just curious, are you using phpldapadmin? A modified version of adLDAP, http://adldap.sourceforge.net/ Regards, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP, Active Directory, and permissions
-Original Message- From: Chris Knipe [mailto:ckn...@savage.za.org] On Behalf Of Chris Knipe Sent: Tuesday, November 30, 2010 10:52 PM To: php-general@lists.php.net Subject: RE: [PHP] LDAP, Active Directory, and permissions Hi, Chris, 1) Shouldn't the OU security permissions be set within the AD itself? 2) If the above is done, then the user account that's being authenticated shouldn't be able to access privileged information. 1) Not sure. The permissions I'm after is similar to that of NTFS permissions on the file system. Essentially, it is a way to restrict an application to read certain OU's or Objects completely, making it invisible. FYI... http://technet.microsoft.com/en-us/library/cc785913(WS.10).aspx I guess you didn't read far down enough to 'User Authentication': 'Active Directory ... to access objects...' (Note that every OU is the same any network resource.) That's exactly what I mentioned. OU security settings is similar to NTFS, user/group with the lesser privilege applies. 2) This is completely irrelevant to authentication. See point 1 above. It's completely relevant, if you set the permissions on the OUs. (How do you think have the access permission to the OUs? Are a domain/enterprise admin? Create a test a user account and an OU. Set the security permissions. Test with the user account on accessing that OU and compare it to a domain admin account.) The app that logins under a certain account would be restricted to the set permissions. If the users are using the PHP app then the app should be passing the user's authentication along to AD for authentication instead of a network service type account to login and then validate user's authentication to see if the user is a valid. Thus the security is maintained/restricted to each individual login. (Think of as network share mapping. You can login to a share and still change to a different user account afterwards.) If you try to do a work around in C# or a DLL of some type as you mentioned earlier, you'll have to do the same thing. So, I strongly suggest you look into the adLDAP and modify accordingly if the app isn't behaving as I mentioned. Also, look into these [1] [2]. Just curious, are you using phpldapadmin? A modified version of adLDAP, http://adldap.sourceforge.net/ Regards, Chris. Regards, Tommy [1] http://support.microsoft.com/kb/320528 [2] http://support.microsoft.com/kb/326690 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap add Invalid DN syntax
solved as simple as i couldn't imagine... for a reason was not accepting the iconv anywhere else but... [CODE]$info[cn] =iconv(Windows-1253,UTF-8,$data[$c]); //echo |onoma--; //echo $info[cn] ; $c++; $info[sn] = iconv(Windows-1253,UTF-8,$data[$c]);[/CODE] so for all the greeks out there this is the way is being done -- On 3 May 2010 18:56, Manolis Vlachakis vlachakis.mano...@gmail.com wrote: the thing i just tried is with // Open a memory file for read/write... $fp = fopen('php://temp', 'r+'); // ... write the $input array to the file using fputcsv()... fputcsv($fp, $input, $delimiter, $enclosure); // ... rewind the file so we can read what we just wrote... rewind($fp); // ... read the entire line into a variable... $data = fread($fp, 1048576); // [changed] // ... close the file... fclose($fp); // ... and return the $data to the caller, with the trailing newline from fgets() removed. and it comes back to me that is not an array does anyone think that this may cause the problem on the problem i face? On 3 May 2010 12:37, Manolis Vlachakis vlachakis.mano...@gmail.comwrote: and my code begins like this... $uploaddir = $_SERVER['DOCUMENT_ROOT'].'/webteam/voiko/public_html/uploads/'; $file = $uploaddir . basename($_FILES['uploadfile']['name']); $data = file_get_contents($uploaddir . $_FILES[uploadfile][name]); $data=split([;\r],$data); ; $num = count($data); var_dump($data); and goes on as i show you on the last mails.. On 30 April 2010 17:22, Manolis Vlachakis vlachakis.mano...@gmail.comwrote: on the array and on the server side i can see the names are added normally and with the correct encode(despite what i show you ) and the only thing is tha i get that DN not valid... i used the \r cause i use it on my csv file at least one... but i am sure (i used a counter for the letters + i compered the name they are the same) so it is pretty strange why is not working... 1.trust me after many times faced problems with delimiters i can tell you the correct is with [ ] and your delimiter in between 2.print_r seems good exactly what i have in csv file.. 3.var_dump works fine counts everything and stuff but even though i get the right attributes ... i still have the same error(see below) it's made me crazy onoma--���|epwnimo--�� *Warning*: ldap_add() [function.ldap-addhttps://195.251.90.188:65007/~voiko/admin/function.ldap-add]: Add: Invalid DN syntax Thank you for your answer On 30 April 2010 16:53, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Fri, 2010-04-30 at 14:34 +0300, Manolis Vlachakis wrote: Hallo there everyone although i have built my code correctly according to the examples i found on the net.. i get Invalid DN syntax error when i try to insert some attributes with ldap add.. i get and read a csv file where i get the data correctly as i can see on the echos that follow: *$data=split([;\r],$data);* * * * **$info[cn]= $data[$c];* * **echo |onoma--;* * **echo $info[cn] ;//* *** ** $c++;* * **$info[sn]= $data[$c];* * **echo |epwnimo--;* * **echo $info[sn] ;* * * * **$info[objectclass][0] = top;* * ** **$info[objectclass][1] = organizationalPerson;* * * * ** * * ** $r = ldap_add($ldapconn, cn=.$info['cn'].,cn=*,ou=@@@,ou=.,ou=,dc=.dc=, $info);* funny thing is that when i put them absolute like *$info[sn]= bla bla;* it works fine... any ideas? Are you using the correct split() delimiter? What happens if you just output that array with print_r() or var_dump()? I see the delimiter as: [; ] Because the \r is recognised as a carriage return because your string is in double quotes. Thanks, Ash http://www.ashleysheridan.co.uk -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis
Re: [PHP] ldap add Invalid DN syntax
and my code begins like this... $uploaddir = $_SERVER['DOCUMENT_ROOT'].'/webteam/voiko/public_html/uploads/'; $file = $uploaddir . basename($_FILES['uploadfile']['name']); $data = file_get_contents($uploaddir . $_FILES[uploadfile][name]); $data=split([;\r],$data); ; $num = count($data); var_dump($data); and goes on as i show you on the last mails.. On 30 April 2010 17:22, Manolis Vlachakis vlachakis.mano...@gmail.comwrote: on the array and on the server side i can see the names are added normally and with the correct encode(despite what i show you ) and the only thing is tha i get that DN not valid... i used the \r cause i use it on my csv file at least one... but i am sure (i used a counter for the letters + i compered the name they are the same) so it is pretty strange why is not working... 1.trust me after many times faced problems with delimiters i can tell you the correct is with [ ] and your delimiter in between 2.print_r seems good exactly what i have in csv file.. 3.var_dump works fine counts everything and stuff but even though i get the right attributes ... i still have the same error(see below) it's made me crazy onoma--���|epwnimo--�� *Warning*: ldap_add() [function.ldap-addhttps://195.251.90.188:65007/~voiko/admin/function.ldap-add]: Add: Invalid DN syntax Thank you for your answer On 30 April 2010 16:53, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Fri, 2010-04-30 at 14:34 +0300, Manolis Vlachakis wrote: Hallo there everyone although i have built my code correctly according to the examples i found on the net.. i get Invalid DN syntax error when i try to insert some attributes with ldap add.. i get and read a csv file where i get the data correctly as i can see on the echos that follow: *$data=split([;\r],$data);* * * * **$info[cn]= $data[$c];* * **echo |onoma--;* * **echo $info[cn] ;//* *** ** $c++;* * **$info[sn]= $data[$c];* * **echo |epwnimo--;* * **echo $info[sn] ;* * * * **$info[objectclass][0] = top;* * ** **$info[objectclass][1] = organizationalPerson;* * * * ** * * ** $r = ldap_add($ldapconn, cn=.$info['cn'].,cn=*,ou=@@@,ou=.,ou=,dc=.dc=, $info);* funny thing is that when i put them absolute like *$info[sn]= bla bla;* it works fine... any ideas? Are you using the correct split() delimiter? What happens if you just output that array with print_r() or var_dump()? I see the delimiter as: [; ] Because the \r is recognised as a carriage return because your string is in double quotes. Thanks, Ash http://www.ashleysheridan.co.uk -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis
Re: [PHP] ldap add Invalid DN syntax
the thing i just tried is with // Open a memory file for read/write... $fp = fopen('php://temp', 'r+'); // ... write the $input array to the file using fputcsv()... fputcsv($fp, $input, $delimiter, $enclosure); // ... rewind the file so we can read what we just wrote... rewind($fp); // ... read the entire line into a variable... $data = fread($fp, 1048576); // [changed] // ... close the file... fclose($fp); // ... and return the $data to the caller, with the trailing newline from fgets() removed. and it comes back to me that is not an array does anyone think that this may cause the problem on the problem i face? On 3 May 2010 12:37, Manolis Vlachakis vlachakis.mano...@gmail.com wrote: and my code begins like this... $uploaddir = $_SERVER['DOCUMENT_ROOT'].'/webteam/voiko/public_html/uploads/'; $file = $uploaddir . basename($_FILES['uploadfile']['name']); $data = file_get_contents($uploaddir . $_FILES[uploadfile][name]); $data=split([;\r],$data); ; $num = count($data); var_dump($data); and goes on as i show you on the last mails.. On 30 April 2010 17:22, Manolis Vlachakis vlachakis.mano...@gmail.comwrote: on the array and on the server side i can see the names are added normally and with the correct encode(despite what i show you ) and the only thing is tha i get that DN not valid... i used the \r cause i use it on my csv file at least one... but i am sure (i used a counter for the letters + i compered the name they are the same) so it is pretty strange why is not working... 1.trust me after many times faced problems with delimiters i can tell you the correct is with [ ] and your delimiter in between 2.print_r seems good exactly what i have in csv file.. 3.var_dump works fine counts everything and stuff but even though i get the right attributes ... i still have the same error(see below) it's made me crazy onoma--���|epwnimo--�� *Warning*: ldap_add() [function.ldap-addhttps://195.251.90.188:65007/~voiko/admin/function.ldap-add]: Add: Invalid DN syntax Thank you for your answer On 30 April 2010 16:53, Ashley Sheridan a...@ashleysheridan.co.uk wrote: On Fri, 2010-04-30 at 14:34 +0300, Manolis Vlachakis wrote: Hallo there everyone although i have built my code correctly according to the examples i found on the net.. i get Invalid DN syntax error when i try to insert some attributes with ldap add.. i get and read a csv file where i get the data correctly as i can see on the echos that follow: *$data=split([;\r],$data);* * * * **$info[cn]= $data[$c];* * **echo |onoma--;* * **echo $info[cn] ;//* *** ** $c++;* * **$info[sn]= $data[$c];* * **echo |epwnimo--;* * **echo $info[sn] ;* * * * **$info[objectclass][0] = top;* * ** **$info[objectclass][1] = organizationalPerson;* * * * ** * * ** $r = ldap_add($ldapconn, cn=.$info['cn'].,cn=*,ou=@@@,ou=.,ou=,dc=.dc=, $info);* funny thing is that when i put them absolute like *$info[sn]= bla bla;* it works fine... any ideas? Are you using the correct split() delimiter? What happens if you just output that array with print_r() or var_dump()? I see the delimiter as: [; ] Because the \r is recognised as a carriage return because your string is in double quotes. Thanks, Ash http://www.ashleysheridan.co.uk -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis -- Manolis Vlachakis Nelly's Family Hotel Visit: www.nellys-hotel.gr www.nellys.gr Skype : manolis.vlachakis
Re: [PHP] LDAP in php
On Thu, Apr 3, 2008 at 4:10 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Nathan Nobbe schrieb: and its a little more complicated to map to sql than one might initially suspect http://www.openldap.org/doc/admin24/intro.html#LDAP%20vs%20RDBMS Yes, that's why I decided to try a php LDAP read-only (for Thunderbird) implementation - I could not see how I can map the LDAP to our SQL (which implements object-relational mapping defined in XML text files and could not be done without the php logic). unfortunately, i dont think youll be able to escape this. suppose thunderbird asks your php app a question in ldap; suppose it wants to authenticate a user (one of the most prominent uses of ldap). so it will be giving you something (roughly) like cn=someDude,dc=urDomain,dc=com (also, somewhere in there ldap would specify this is a bind request and hand you a password [but this is just a simple example for illustration]). lets assume you have a simple user table in your database (again grossly simplified) create table USER ( id integer not null auto_increment, name varchar(50) not null, password varchar(25) not null, primary key(id) ) so you would turn around and do something like function authUser($cn, $pass) { $qry = SELECT password FROM USER WHERE name = '$cn'; $resultSet = doQuery ... if($resultSet['password'] == $pass) { return true; } else { return false; } } which means you will be mapping ldap queries to sql queries; ergo, 'you cant escape a mapping of some sort if your data is in a relational database and your trying to get it in the hands of ldap' setting up an ldap server like openldap involves mapping your relational database schema to one of the openldap directory structure (which is descended [roughly i believe] from x509 back in the day). its kind of a pain in the ass, especially if youre new to it (trust me on this one ;)) but you won't have to know anything about the ldap protocol. imho this would be far easier and it would have the advantage that you wouldnt be reinventing the wheel so to speak. this is a common practice that many people have done and would be able to help you w/ whereas building a 'read-only' ldap server in php is something i dont think many, if any have ever done.. youre likely to have your hands full w/ that and be mostly on your own... but it would be cool if you got it working ;) if i were you i would consider building a custom backend for openldap, perhaps a shell one, that turned around and called php. http://www.openldap.org/doc/admin24/backends.html#Perl/Shell or perhaps just doing w/e it takes to get the sql backend working; i however found it quite vexing and to boot its marked as experimental.. but still you wouldnt have to write your own server. openldap would esentially be speaking ldap for you and giving you something somewhat deluded to work w/ on the backend. good luck, -nathan
Re: [PHP] LDAP in php
Richard Lynch schrieb: You probably wouldn't run it through Apache, but you probably COULD run an LDAP server of sorts using http://php.net/sockets Yes... this starts to sound as a solution... Sorry, I hope I do not sound lazy, I just need a bit of a help to locate the starting point. I thought that there could be some way of php to listen to a port and accept the LDAP request. Main problem is one of performance. The reason most people choose LDAP in the first place is to get blazing fast performance, because they NEED it. I am 100% aware of the fact that LDAP is a read optimized database (though I am not sure where this optimization goes when back end is PostgreSQL, for example - the LDAP commands seem simple and re-writing them into SQL can't be so much overhead; the explanation might be that PostgreSQL powered LDAP is not as fast as... - whatever, I'm not an expert and this analysis is not my goal, not now.). PHP is probably not going to give you blazing fast performance compared to an off-the-shelf LDAP server in C. 100% aware of that. As we have this php/PostgreSQL application and intercepting LDAP requests seems easy (though I do not know how to do it yet :) - I'm tempted to write a small funny LDAP thing in php, which can power Thunderbird address book (which, I think, can only read LDAP anyway, when e-mail is composed). And if all works fine and promising (and may be slow) - I can evaluate the effort to plug a real LDAP into the whole system. So php is just for prototyping and the result is curious, anyway. You may be able to leverage from the code in http://php.net/ldap to move most of the heavy lifting into an extension, or perhaps you could expand that extension to do so, and then you just have a simple PHP wrapper to handle the sockets part. That would help some, and possibly even come close to C performance, since the socket open/close/traffic/bandwidth is probably the limiting factor there, rather than a single PHP byte-code interpreted function call... I'm not sure I understand well. Do you mean that I could use some of the C code in http://php.net/ldap ... I am afraid this is beyond what I can. But I'll play with the socket thing and see what php gets and how I can re-write it internally and return, and how fast it is, and I'll drop a line back. This is all just my expectations. Feel free to surprise me with actual test results. :-) I'll try :) Thanks for the extensive ideas :) - was encouraging indeed. Iv -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP in php
On Thu, Apr 3, 2008 at 2:22 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am 100% aware of the fact that LDAP is a read optimized database (though I am not sure where this optimization goes when back end is PostgreSQL, for example - the LDAP commands seem simple and re-writing them into SQL can't be so much overhead; the explanation might be that PostgreSQL powered LDAP is not as fast as... - whatever, I'm not an expert and this analysis is not my goal, not now.). afaik, the performance degrades severly; and its a little more complicated to map to sql than one might initially suspect http://www.openldap.org/doc/admin24/intro.html#LDAP%20vs%20RDBMS PHP is probably not going to give you blazing fast performance compared to an off-the-shelf LDAP server in C. 100% aware of that. the other key facet of the open ldap (assume this implementation is what were discussing [sorry if its an oversight]) is the use of berkdb internally for which there is no php extension. if im not mistaken, the 'queries' are compiled directly into the source. i know your reqs for ldap usage are small, but im thinking it would be much more straight-forward and less time consuming to just setup ldap, write some php scripts to map / sync data from ur relational db to it and point the client software to said ldap installation. -nathan
Re: [PHP] LDAP in php
Nathan Nobbe schrieb: I am 100% aware of the fact that LDAP is a read optimized database (though I am not sure where this optimization goes when back end is PostgreSQL, for example - the LDAP commands seem simple and re-writing them into SQL can't be so much overhead; the explanation might be that PostgreSQL powered LDAP is not as fast as... - whatever, I'm not an expert and this analysis is not my goal, not now.). afaik, the performance degrades severly; Yes, this reconfirms the LDAP strength as read-optimized. and its a little more complicated to map to sql than one might initially suspect http://www.openldap.org/doc/admin24/intro.html#LDAP%20vs%20RDBMS Yes, that's why I decided to try a php LDAP read-only (for Thunderbird) implementation - I could not see how I can map the LDAP to our SQL (which implements object-relational mapping defined in XML text files and could not be done without the php logic). the other key facet of the open ldap (assume this implementation is what were discussing [sorry if its an oversight]) No, we did not discuss any specific implementation. We are not against them (or any of them). Just for me to implement a simple php LDAP (read-only, for Thunderbird use) seemed easier for prototyping purposes, than setting up LDAP and writing something that updates it on every change in the original db. But could be that I am wrong. is the use of berkdb internally for which there is no php extension. if im not mistaken, the 'queries' are compiled directly into the source. I do not intend to use bdb - but our PostgreSQL, trying to write php LDAP server (read-only) - which listens to the LDAP port, receives the requests, gets what it needs from the db and gives it back in an LDAP way. i know your reqs for ldap usage are small, but im thinking it would be much more straight-forward and less time consuming to just setup ldap, write some php scripts to map / sync data from ur relational db to it and point the client software to said ldap installation. May be at the end you are right... But it was nice brainstorming so far and I'll play a bit, and may be submit the results, in case anything interesting happens. Thanks for your thoughts, though. Iv -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP in php
On Sun, March 30, 2008 8:15 pm, [EMAIL PROTECTED] wrote: As LDAP can have SQL back-end (I saw an example with PostgreSQL) - is it a very wild idea to implement (a simple) LDAP server in php? We have all the address data already in PostgreSQL and a php application managing all of it. I am thinking of simple uses, such as providing LDAP address books to Thunderbird/Squirrelmail users. For instance, is it too wild to think of Apache/php listening on the LDAP port (or so), get the request, parse it, get the data from PostgreSQL and send it back to the LDAP client? You probably wouldn't run it through Apache, but you probably COULD run an LDAP server of sorts using http://php.net/sockets Main problem is one of performance. The reason most people choose LDAP in the first place is to get blazing fast performance, because they NEED it. PHP is probably not going to give you blazing fast performance compared to an off-the-shelf LDAP server in C. You may be able to leverage from the code in http://php.net/ldap to move most of the heavy lifting into an extension, or perhaps you could expand that extension to do so, and then you just have a simple PHP wrapper to handle the sockets part. That would help some, and possibly even come close to C performance, since the socket open/close/traffic/bandwidth is probably the limiting factor there, rather than a single PHP byte-code interpreted function call... This is all just my expectations. Feel free to surprise me with actual test results. :-) ymmv -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP in php
Chris schrieb: If ldap can already use a database backend, just use the normal ldap_* functions to do all of the work, don't re-invent it all. http://www.php.net/ldap Just wanted to avoid installing and maintaining a LDAP server and mapping all the data. Perhaps I am underestimating it, but just to read one URI like request, find the data and send it back in some form, does not look difficult to implement. We do not need full LDAP support, just to feel Thunderbird and Squirrelmail address books. Both can't edit LDAP yet anyway. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP in php
[EMAIL PROTECTED] wrote: As LDAP can have SQL back-end (I saw an example with PostgreSQL) - is it a very wild idea to implement (a simple) LDAP server in php? We have all the address data already in PostgreSQL and a php application managing all of it. I am thinking of simple uses, such as providing LDAP address books to Thunderbird/Squirrelmail users. For instance, is it too wild to think of Apache/php listening on the LDAP port (or so), get the request, parse it, get the data from PostgreSQL and send it back to the LDAP client? If ldap can already use a database backend, just use the normal ldap_* functions to do all of the work, don't re-invent it all. http://www.php.net/ldap -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP
Hi, Have you tried in the php.ini to setup error_reporting to E_ALL and display error messages (display_errors = On) ? I had a similar problem 2 days ago and it was due to another mistake in my PHP code. But i did not get any error message or more precisely, i did not get any WARNING message. since i did this i repaired my PHP mistake. My code relative to LDAP was good and without any mistake. Try this and let us know if you do not have such situation. Alain On 8/21/07, Dan Shirah [EMAIL PROTECTED] wrote: Nothing is being blocked since both servers are inside the DMZ. On 8/21/07, Daniel Brown [EMAIL PROTECTED] wrote: On 8/21/07, Dan Shirah [EMAIL PROTECTED] wrote: Okay, hopefully someone can help me out here. I've gone over ldap at php.net and multiple other sites but can't get it to work. Everytime I run the query my results are 0 entries returned. My AD tree is: CN=Users,DC=domain,DC=us. I have the AD Server set so that anonymous access to retrieve information is enabled. Below is my code. Any ideas? ?php $ldap_host = AD Server; $ldap_port = 389; $base_dn = DC=domain,DC=us; $filter = (CN=users); $connect = ldap_connect( $ldap_host, $ldap_port); ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); $bind = ldap_bind($connect); $read = ldap_search($connect, $base_dn, $filter); $info = ldap_get_entries($connect, $read); echo $info[count]. entries returnedBRBR; for($row = 0; $row$info[count]; $row++) { for($column = 0; $column$info[$row][count]; $column++) { $data = $info[$row][$column]; echo $data.:.$info[$row][$data][0].BR; } echo BR; } ldap_close($connect); ? This may be kind of a dumb question but did you check your firewall settings? -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 Hey, PHP-General list 50% off for life on web hosting plans $10/mo. or more at http://www.pilotpig.net/. Use the coupon code phpgeneralaug07 Register domains for about $0.01 more than what it costs me at http://domains.pilotpig.net/. -- Alain Windows XP SP2 PostgreSQL 8.2.3 Apache 2.2.4 PHP 5.2.3
Re: [PHP] LDAP
On 8/21/07, Dan Shirah [EMAIL PROTECTED] wrote: Okay, hopefully someone can help me out here. I've gone over ldap at php.net and multiple other sites but can't get it to work. Everytime I run the query my results are 0 entries returned. My AD tree is: CN=Users,DC=domain,DC=us. I have the AD Server set so that anonymous access to retrieve information is enabled. Below is my code. Any ideas? ?php $ldap_host = AD Server; $ldap_port = 389; $base_dn = DC=domain,DC=us; $filter = (CN=users); $connect = ldap_connect( $ldap_host, $ldap_port); ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); $bind = ldap_bind($connect); $read = ldap_search($connect, $base_dn, $filter); $info = ldap_get_entries($connect, $read); echo $info[count]. entries returnedBRBR; for($row = 0; $row$info[count]; $row++) { for($column = 0; $column$info[$row][count]; $column++) { $data = $info[$row][$column]; echo $data.:.$info[$row][$data][0].BR; } echo BR; } ldap_close($connect); ? This may be kind of a dumb question but did you check your firewall settings? -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 Hey, PHP-General list 50% off for life on web hosting plans $10/mo. or more at http://www.pilotpig.net/. Use the coupon code phpgeneralaug07 Register domains for about $0.01 more than what it costs me at http://domains.pilotpig.net/. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP
Nothing is being blocked since both servers are inside the DMZ. On 8/21/07, Daniel Brown [EMAIL PROTECTED] wrote: On 8/21/07, Dan Shirah [EMAIL PROTECTED] wrote: Okay, hopefully someone can help me out here. I've gone over ldap at php.net and multiple other sites but can't get it to work. Everytime I run the query my results are 0 entries returned. My AD tree is: CN=Users,DC=domain,DC=us. I have the AD Server set so that anonymous access to retrieve information is enabled. Below is my code. Any ideas? ?php $ldap_host = AD Server; $ldap_port = 389; $base_dn = DC=domain,DC=us; $filter = (CN=users); $connect = ldap_connect( $ldap_host, $ldap_port); ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); $bind = ldap_bind($connect); $read = ldap_search($connect, $base_dn, $filter); $info = ldap_get_entries($connect, $read); echo $info[count]. entries returnedBRBR; for($row = 0; $row$info[count]; $row++) { for($column = 0; $column$info[$row][count]; $column++) { $data = $info[$row][$column]; echo $data.:.$info[$row][$data][0].BR; } echo BR; } ldap_close($connect); ? This may be kind of a dumb question but did you check your firewall settings? -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 Hey, PHP-General list 50% off for life on web hosting plans $10/mo. or more at http://www.pilotpig.net/. Use the coupon code phpgeneralaug07 Register domains for about $0.01 more than what it costs me at http://domains.pilotpig.net/.
Re: [PHP] ldap change password
Hi Fabio, On 03-07, Fabio Silva wrote: Hi all, i would like to know if anybody has a script in php that change the password of the users in ldap??? That the user can do it by yourself http://logout.sh/computers/ldap/ looks like a starting point. In that example, however the connection from the web server to the ldap server is not encrypted (which might be an issue if the webserver is different from the ldap server and you are not using ssh tunnelling for the connection), googling ldap_connect and 663 (the port of LDAP with TLS) gives you other recipes. (For the TLS exchange you would also have to generate an X.509 cert, see eg http://www.guug.de/veranstaltungen/ffg2003/papers/ffg2003-blasum-en.pdf for essentially the same where python was used in place of php.) Regards, -- Holger Blasum +49-174-7313590 (cell) GnuPG 1024D/ACDFC3B769DC1ED66B47 signature.asc Description: Digital signature
Re: [PHP] LDAP constants GSLC_SSL_...
# [EMAIL PROTECTED] / 2007-02-04 13:26:39 +0100: Hello, actually i am workinh with the ldap functions of php5. Reading the docs i found the constants GSLC_SSL_NO_AUTH GSLC_SSL_ONEWAY_AUTH GSLC_SSL_TWOWAY_AUTH They are simply documented, but i can't find any docs about them. Neither at php.net not via google. So - what they are for and how to use them ? I had *no problems* finding information on these constants using google. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP constants GSLC_SSL_...
Hello Roman, On Monday 05 February 2007 17:12, Roman Neuhauser wrote: actually i am workinh with the ldap functions of php5. Reading the docs i found the constants GSLC_SSL_NO_AUTH GSLC_SSL_ONEWAY_AUTH GSLC_SSL_TWOWAY_AUTH They are simply documented, but i can't find any docs about them. Neither at php.net not via google. So - what they are for and how to use them ? I had *no problems* finding information on these constants using google. The infos you find either link to the PHP page (in different languages) defining this constant (w/o explanation) or to the PHP source code section defining them. I have scanned about the first 50 results google retrieves when looking for GSLC_SSL_NO_AUTH. Anyway i found the docs myself when i limit the findings to Oracle. My suggestion for the docs is to say for this items that they are limited to the oracle directory server (and documented there). Anyway, a usage sample would be nice to have for those they need these constants. For me this question is solved for my scope (i use openldap). regards Petric -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP constants GSLC_SSL_...
# [EMAIL PROTECTED] / 2007-02-05 23:03:41 +0100: On Monday 05 February 2007 17:12, Roman Neuhauser wrote: actually i am workinh with the ldap functions of php5. Reading the docs i found the constants GSLC_SSL_NO_AUTH GSLC_SSL_ONEWAY_AUTH GSLC_SSL_TWOWAY_AUTH They are simply documented, but i can't find any docs about them. Neither at php.net not via google. So - what they are for and how to use them ? I had *no problems* finding information on these constants using google. The infos you find either link to the PHP page (in different languages) defining this constant (w/o explanation) or to the PHP source code section defining them. I have scanned about the first 50 results google retrieves when looking for GSLC_SSL_NO_AUTH. Anyway i found the docs myself when i limit the findings to Oracle. They're quite visible when you exclude php. My suggestion for the docs is to say for this items that they are limited to the oracle directory server (and documented there). Yes, that'd be nice. Feel free to submit a PR. -- How many Vietnam vets does it take to screw in a light bulb? You don't know, man. You don't KNOW. Cause you weren't THERE. http://bash.org/?255991 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP Active Directory Authentication
[snip] I am going to need to build LDAP and AD modules for a project that I'm working on. Could any of you who have delt with PHP/LDAP/AD point me in the direction of some decent resources/papers/books? [/snip] http://www.php.net/ldap -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP password question
Hi Ray, the question is for which reason you need to know something about the pwd ? to log on ? if yes, it's not needed. I personally did like that : 1. with login + pwd given by user, i try to bind. 2. if bind works, it means that user login+pwd are equal to AD login+pwd. 3. if error during bind, so error in pwd or login. that's all. Alain On 11/30/06, Ray Hauge [EMAIL PROTECTED] wrote: I'm working on integrating an application with an AD server, and I was wondering if the password is encrypted at all, or if I need to go through the troubles of setting up ldaps:// I checked the documentation, but I couldn't find any information about plain-text vs. encrypted. Thanks! -- Ray Hauge Application Development Lead American Student Loan Services www.americanstudentloan.com -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
RE: [PHP] LDAP password question
Hello, I was actually wondering if the PHP implementation of an LDAP client encodes the password before being sent, or if it sends the password in plain-text. The most information I've got on this subject, so far, is from http://adldap.sourceforge.net/faq.php Q. Why am I getting poor performance with Windows 2003 Server? A. Microsoft figured out that plain text passwords aren't a good thing and tightened the security on Windows 2003 Server. The passwords floating around with 2000 server were all encrypted but there are some new timeout problems during negotiation (I think). Anyways, I've set another LDAP option in version 1.2 to force encrypted passwords, and it has resolved this issue. After looking through their source code, this information seems to be for modifying passwords or creating a user. I would assume that passwords are plain text without SSL when using ldap_bind(). Thanks, -- Ray Hauge Application Development Lead American Student Loan Services www.americanstudentloan.com From: Alain Roger [mailto:[EMAIL PROTECTED] Sent: Thursday, November 30, 2006 6:15 AM To: Ray Hauge; PHP General List Subject: Re: [PHP] LDAP password question Hi Ray, the question is for which reason you need to know something about the pwd ? to log on ? if yes, it's not needed. I personally did like that : 1. with login + pwd given by user, i try to bind. 2. if bind works, it means that user login+pwd are equal to AD login+pwd. 3. if error during bind, so error in pwd or login. that's all. Alain On 11/30/06, Ray Hauge [EMAIL PROTECTED] wrote: I'm working on integrating an application with an AD server, and I was wondering if the password is encrypted at all, or if I need to go through the troubles of setting up ldaps:// I checked the documentation, but I couldn't find any information about plain-text vs. encrypted. Thanks! -- Ray Hauge Application Development Lead American Student Loan Services www.americanstudentloan.com -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] LDAP: Write to boolean attribute
Carsten Gehling wrote: Sorry for that - I couldn't see the previous post. I've tried true/false, but I think PHP might be converting this to string values (eg. and 1) before sending to AD any reason to think this? have you tried passing the strings 'false', 'true' or 'FALSE', 'TRUE'? - Carsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP: Write to boolean attribute
Carsten Gehling wrote: Hi, I am using PHP's LDAP to read and write information fron user-objects in Active Directory (Windows Server 2003). The AD has been extended with 2 attributes (call them xx and yy) with the field type BOOLEAN How do i write to these fields? If I use ldap_mod_replace, and set the values for these fields to eg. 0 or 1, I get a Syntaxt error from LDAP. You posted this before, no need to send it again. Maybe try true/false instead of 0/1 ? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP: Write to boolean attribute
Sorry for that - I couldn't see the previous post. I've tried true/false, but I think PHP might be converting this to string values (eg. and 1) before sending to AD - Carsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP function to add objectClass
Roger Thomas wrote: I have an already working LDAP server. One of my user's ldif looks like: ... ... sn: Roger Thomas givenName: Roger Thomas objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: qmailUser objectClass: hordePerson o: example.com ou: people ... ... I have around 9000 user records. And I would like to add a new objectClass (radiusprofile) to each user record like: ... ... objectClass: qmailUser objectClass: hordePerson objectClass: radiusprofile ... ... Question: which LDAP function do I need to use to achive this ? http://php.net/ldap_mod_add But this function need the DN as parameter, so I guess you will have to find a way to iterate through all the entries and pass DN of each entry to the function. ** -- Sameer N. Ingole http://weblogic.noroot.org/ --- Better to light one candle than to curse the darkness. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP Query
For anyone interested: after some furhter troubleshooting, I found the error. The password I was passing was incorrect. What I found interesting is that even though the password was incorrect, the bind function still worked. I'm thinking that it logged me in as anonymous at that stage. Our organization is migrating away from Novell E-directory to MS Active Directory. I have a php class that allows me to run various queries on our e-directory ldap server which I am working to convert to AD. However, I'm running into an error that i cannot figure out. I have updated the base_dn to point tothe correct location (verified by a third party ldap browser). Also added a username and password since our AD environment doesn't allow anonymous queries. The error I get is Warning: ldap_search() [function.ldap-search]: Search: Operations error in /var/www/html/intranet/_php/class.ldap_test.php on line 149 On that line I have this line of code $result = ldap_search($this-conn,$this-base_dn,$filter); Where $this-conn evaluates to Resource id #3, $this-base_dn is the correct dn (ou=something,dc=domain,dc=domain_part_2) and $filter is cn=myusername Can anyone shed some light on this? Below is the entire method from the class. function connectldap($filter,$override=false) { //connect to the server $this-conn = ldap_connect($this-server); //if the connection failed, set the error message //and return false if(!$this-conn) { $this-errMsg[] = Unable to connect to server\n; return false; } //ldap_set_option($this-conn, LDAP_OPT_PROTOCOL_VERSION, 3); //bind the connection. This function will perform an //anonymous query to get the full $bind = @ldap_bind($this-conn,$this-ldap_user,$ldap_passwd); if(!$bind) { $this-errMsg[] = Unable to bind to server\n; return false; } echo p$filter - . $this-conn . - . $bind . - . $this-base_dn . /p\n; //run the ldap query $result = ldap_search($this-conn,$this-base_dn,$filter); //if the search failed, then return false and set the error message if(!$result) { $this-errMsg[] = Search failed - . ldap_error($this-conn) . \n; return false; } //get the entries and store them in a variable $info=ldap_get_entries($this-conn,$result); //if the number of entries reutnred is zero, then the user //could not be found in the ldap server if($info[count] == 0) { $this-errMsg[] = User Unknown\n; return false; } //otherwise, if the number of entries found is greater than 1, then //more than one object was found. elseif($info[count]1 !$override) { $this-errMsg[] = There was more than one user found\n; return false; } else { return $info; } } Thank you, Robbert van Andel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP Authentication
you're approaching this wrong - google for LDAP Authentication php, and see how they do it On 5/13/06, Thomas Bonham [EMAIL PROTECTED] wrote: Hello, I'm trying to do a ldap authentication page. I can get there username and I don't know how to get the password from ldap. It didn't show up in the the search for the command line. So how do I get the password of the users? Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP Authentication
Thomas Bonham wrote: Hello, I'm trying to do a ldap authentication page. I can get there username and I don't know how to get the password from ldap. It didn't show up in the the search for the command line. So how do I get the password of the users? Hope you are doing this using PHP and your LDAP server allows anonymous look-ups if you are trying to look at password field. Try to lookup using same DN on command prompt and see what you get and if you can see the attribute holding password. If you can then Identify the attribute, try accessing it using PHP. Rest is easy. The is just an idea how you can go about it. Give some more specific info as to what you have done so far and where you are facing problem. Regards, -- Sameer N. Ingole Blog: http://weblogic.noroot.org/ --- Better to light one candle than to curse the darkness. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP Authentication
Sameer N Ingole wrote: Thomas Bonham wrote: Hello, I'm trying to do a ldap authentication page. I can get there username and I don't know how to get the password from ldap. It didn't show up in the the search for the command line. So how do I get the password of the users? Hope you are doing this using PHP and your LDAP server allows anonymous look-ups if you are trying to look at password field. Try to lookup using same DN on command prompt and see what you get and if you can see the attribute holding password. If you can then Identify the attribute, try accessing it using PHP. Rest is easy. Sorry for replying my own post. Was you trying to do a anonymous look-up when you did not see the password? If you was, then your LDAP configuration may not be permitting anonymous read access to password (whatever attribute holding password). Probably you have to bind to LDAP server as some user who has read permission to password attribute on that DN (or subtree) and then try accessing it using PHP. -- Sameer N. Ingole Blog: http://weblogic.noroot.org/ --- Better to light one candle than to curse the darkness. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access. [/snip] The question here is how does a Windows login create a valid session? We cannot really have the login script create a PHP session, can we?
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting Rory Browne [EMAIL PROTECTED]: I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access. I think you're talking about the user logging on once through a web page and carrying that authentication throughout. We're (or *I* am, at least) talking about the user logging on to the network (LDAP or, in my case, Active Directory) and using those credentials for the web applications. Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: [snip] As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap [/snip] We are sitting here having a discussion on login techniques and I cam up with a thought...why not have a login script write a cookie that then coulod be read by PHP and compared against the AD via LDAP? Does anyone see any gotcha's with that kind of process? Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? -- Rick Emery When once you have tasted flight, you will forever walk the Earth with your eyes turned skyward, for there you have been, and there you will always long to return -- Leonardo Da Vinci -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] We are sitting here having a discussion on login techniques and I cam up with a thought...why not have a login script write a cookie that then coulod be read by PHP and compared against the AD via LDAP? Does anyone see any gotcha's with that kind of process? Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? [/snip] I suppose that you could do that if you were savvy enough to realize that automatic login to the intranet used a cookie for authentication and you knew how to format the cookie and properly hash a checksum stored in the cookie. The user information stored in the cookie would be verified against the AD via LDAP. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: [snip] Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? [/snip] I suppose that you could do that if you were savvy enough to realize that automatic login to the intranet used a cookie for authentication and you knew how to format the cookie and properly hash a checksum stored in the cookie. The user information stored in the cookie would be verified against the AD via LDAP. First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache). So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes. What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure? Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her? I can't help but feel like I'm missing something. Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache). So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes. What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure? Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her? [/snip] You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. I have not tested this though. It is on my task list for next week though. :) So, you could set a cookie with your manager's name, but it wouldn't work. You would also have to know how to encode a string properly for storage in the cookie. Read http://www.php.net/manual/en/function.setcookie.php for more information on cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about. I have not tested this though. It is on my task list for next week though. :) Let us know how it goes! Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Rick Emery wrote: Quoting [EMAIL PROTECTED]: You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be I wouldn't do it like that instead stick the username in the cookie in plaintext and as a oneway encoded hash (the hash creation could make use of a fixed, secret prefix string [amongst other things) to make it secure] - then to check the cookie you take the plain text name perform the same hash creation routine on it and compared the results of that with the encoded hash that was sent in the cookie - if they match the cookie could be considered valid and untampered. the basic jist being don't use two way encryption, use a oneway hash like sha1(). safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about. well you can stick it in the session ... but like I said decoding is an unnecessary step it seems to me (given that you can achieve the validation using a oneway encryption method) I have not tested this though. It is on my task list for next week though. :) Let us know how it goes! Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting Jochem Maas [EMAIL PROTECTED]: Rick Emery wrote: Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be I wouldn't do it like that instead stick the username in the cookie in plaintext and as a oneway encoded hash (the hash creation could make use of a fixed, secret prefix string [amongst other things) to make it secure] - then to check the cookie you take the plain text name perform the same hash creation routine on it and compared the results of that with the encoded hash that was sent in the cookie - if they match the cookie could be considered valid and untampered. the basic jist being don't use two way encryption, use a oneway hash like sha1(). Okay. I don't know enough about encoding/encryption to discuss the merits either way, but I'll go along with your suggestion. So to carry through on my thought, the secret prefix would have to be constant. I'd like to find a way to make it variable (and random, even; I'm working under the assumption that at least one of our users would be smart enough to write a cookie to masquerade as another user). I have an idea, but I have little experience with Active Directory or LDAP, and I think I'm venturing into the space of off-topic. I wonder if it would be possible (probably after modifying the schema) to write a value into the user's account in Active Directory/LDAP. The login script could generate a random string to prefix the username, hash it, write the random value into the user's LDAP record, and write the cookie. The PHP app on the other side could get the value from the user's LDAP record and then do the comparison. That way, each user would have a different secret prefix, and it would be different each time that user logged in. Thoughts? well you can stick it in the session ... but like I said decoding is an unnecessary step it seems to me (given that you can achieve the validation using a oneway encryption method) Wouldn't the session expire on completion of the login script? If I opened a browser to run an application on our Intranet, wouldn't that create a different session? Again, I may be missing something. Thanks for the discussion; I'm really enjoying it. Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access.
Re: [PHP] LDAP and Single Sign On
Kerberos - there is an apache module for it. On 3/7/06, Justin Cook [EMAIL PROTECTED] wrote: We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks!
RE: [PHP] LDAP - The Adventure Continues SOLVED
[snip] Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 94 bytes) in /srv/www/htdocs/test/ldapTest.php on line 47 47 - $info = ldap_get_entries($ds, $sr); $sr=ldap_search($ds, dc=foo,dc=local, cn=*); $ds is the connection to the LDAP server Does anyone know what this means? [/snip] The php.ini still had an 8mb memory limit set. I increased the amount and all is well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP - The Adventure Continues
[EMAIL PROTECTED] wrote: Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to (8388608 / 1024) / 1024 = 8. allocate 94 bytes) in /srv/www/htdocs/test/ldapTest.php on line 47 47 - $info = ldap_get_entries($ds, $sr); $sr=ldap_search($ds, dc=foo,dc=local, cn=*); $ds is the connection to the LDAP server Does anyone know what this means? at a guess the number of entries you are getting back doesn't fit into the 8 megs of memory your php script has. now I know next to nothing about ldap but I recall someone on the list asking about how to go about getting paged/limited results from a ldap query IIRC ldap supports paged/limited results but it was no clear (or maybe not even possible) to requested paged/limited result via php... anyway quick qorkaround would be to up or drop the memorylimit for the script in question. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
Maybe this will help: http://us2.php.net/manual/en/ref.ldap.php Shaunak Kashyap Senior Web Developer WPT Enterprises, Inc. 5700 Wilshire Blvd., Suite 350 Los Angeles, CA 90036 Direct: 323.330.9870 Main: 323.330.9900 www.worldpokertour.com Confidentiality Notice: This e-mail transmission (and/or the attachments accompanying) it may contain confidential information belonging to the sender which is protected. The information is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this information is prohibited. If you have received this transmission in error, please notify the sender by reply e-mail and destroy all copies of this transmission. -Original Message- From: Justin Cook [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 9:55 AM To: php-general@lists.php.net Subject: [PHP] LDAP and Single Sign On We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
I've been there. I can connect and search my active directory, that's no problem. I'm more curious on how to check to see if they have already authenticated to the domain. _ From: Shaunak Kashyap [mailto:[EMAIL PROTECTED] To: Justin Cook [mailto:[EMAIL PROTECTED], php-general@lists.php.net Sent: Tue, 07 Mar 2006 12:06:42 -0600 Subject: RE: [PHP] LDAP and Single Sign On Maybe this will help: http://us2.php.net/manual/en/ref.ldap.php Shaunak Kashyap Senior Web Developer WPT Enterprises, Inc. 5700 Wilshire Blvd., Suite 350 Los Angeles, CA 90036 Direct: 323.330.9870 Main: 323.330.9900 www.worldpokertour.com Confidentiality Notice: This e-mail transmission (and/or the attachments accompanying) it may contain confidential information belonging to the sender which is protected. The information is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this information is prohibited. If you have received this transmission in error, please notify the sender by reply e-mail and destroy all copies of this transmission. -Original Message- From: Justin Cook [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 9:55 AM To: php-general@lists.php.net Subject: [PHP] LDAP and Single Sign On We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
[snip] We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks! [/snip] Just to be clear, you want to take the network logon (from the Windows environment) and compare it against the AD via LDAP when someone accesses the intranet to make sure that they are authorized? I don't think that it is possible; it is a question that I have asked before. I have seen this sort of behavior before; when all of the boxes were Windows boxes (IIS web servers, etc). As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap [/snip] We are sitting here having a discussion on login techniques and I cam up with a thought...why not have a login script write a cookie that then coulod be read by PHP and compared against the AD via LDAP? Does anyone see any gotcha's with that kind of process? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP confusion
[snip] if(!$ds=ldap_connect(foo)){ echo did not connect; }else { echo connection successful; } $un = user; $upw = pass; echo connect result is . $ds . br /; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($ds) { echo Binding ...; if(!$r=ldap_bind($ds, $un, $upd)){ echo unable to verify/br; }else{ echo verifiedbr; } The result is always verified. From the comments on www.php.net/ldap_bind: I have found that if either of the valuse for user or password are blank, or as in my case a typo resulted in a blank user as it was an undefined variable, the ldap_bind() will just perform an anonymous bind and return true! You have: $upw = pass; but using $upd in ldap_bind ... if(!$r=ldap_bind($ds, $un, $upd)){ unless it's a typo in your example that could explain it. ? [/snip] It was a typo. Anyhow, I guess if the connection to the server is anonymous in the event of a bad username / pw combo I will still need to search the AD for a match for authentication. I am still having a problem getting a search to work. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP confusion
[snip] I vaguely recall you couldn't do an anonymous bind to an active directory system - you had to properly authenticate before you could do a search. You didn't include the bind stuff so I can't tell if that's the problem :) [/snip] I thought that I was not doing an anonymous bind, until I changed the username to something that I know did not exist. The bind occurred (or appeared to) anyhow. if(!$ds=ldap_connect(foo)){ echo did not connect; }else { echo connection successful; } $un = user; $upw = pass; echo connect result is . $ds . br /; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($ds) { echo Binding ...; if(!$r=ldap_bind($ds, $un, $upd)){ echo unable to verify/br; }else{ echo verifiedbr; } The result is always verified. This should be a really simple operation. 1. user enters name and password 2. if bind is successful redirect them properly 3. else give them a message about incorrect login. I really do not need to search the AD or any of that (I may want to install phpldapadmin at some point though). I feel as if I am missing something very simple, I have always been able to connect to everything with PHP. Can anyone help me with this please? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP confusion
On 3/4/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [snip] I vaguely recall you couldn't do an anonymous bind to an active directory system - you had to properly authenticate before you could do a search. You didn't include the bind stuff so I can't tell if that's the problem :) [/snip] I thought that I was not doing an anonymous bind, until I changed the username to something that I know did not exist. The bind occurred (or appeared to) anyhow. if(!$ds=ldap_connect(foo)){ echo did not connect; }else { echo connection successful; } $un = user; $upw = pass; echo connect result is . $ds . br /; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($ds) { echo Binding ...; if(!$r=ldap_bind($ds, $un, $upd)){ echo unable to verify/br; }else{ echo verifiedbr; } The result is always verified. From the comments on www.php.net/ldap_bind: I have found that if either of the valuse for user or password are blank, or as in my case a typo resulted in a blank user as it was an undefined variable, the ldap_bind() will just perform an anonymous bind and return true! You have: $upw = pass; but using $upd in ldap_bind ... if(!$r=ldap_bind($ds, $un, $upd)){ unless it's a typo in your example that could explain it. ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP confusion
[snip] I am trying to work through connecting to and using LDAP with PHP. Thus far I am able to connect and bind, but I cannot search. $sr=ldap_search($ds, CN=configuration,DC=onecall,DC=local, cn=*); Gives me Warning: ldap_search(): Search: Operations error in /srv/www/htdocs/test/ldapTest.php on line 29 The dn is correct, it would seem that the search filter is the issue. Can someone please enlighten me? [/snip] Aha! It may not be me. The LDAP server is Win2003 and has some known problems when searching LDAP. I haven't located a solution, but if you are privy to one or two or ten could you let me know? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP confusion
[snip] Aha! It may not be me. The LDAP server is Win2003 and has some known problems when searching LDAP. I haven't located a solution, but if you are privy to one or two or ten could you let me know? [/snip] Well, I thought that I had escaped the hell of a Windows world when I accepted this position, and now it is just not true. We have all of our users authenticating through AD on a W2003Server, so I thought I'd use LDAP for web authentication as well. It doesn't work. For some cockamaimee reason there are problems using PHP/LDAP with W2003Server. To be sure, I found plenty of evidence that all was well prior to W2003Server, there are many posts web wide about how well it was working with W2KServer, etc. Does anyone know how I can fix this without having our Windows folks do something to the server which will undoubtedly hose things up? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP confusion
[EMAIL PROTECTED] wrote: [snip] Aha! It may not be me. The LDAP server is Win2003 and has some known problems when searching LDAP. I haven't located a solution, but if you are privy to one or two or ten could you let me know? [/snip] Well, I thought that I had escaped the hell of a Windows world when I accepted this position, and now it is just not true. We have all of our users authenticating through AD on a W2003Server, so I thought I'd use LDAP for web authentication as well. It doesn't work. For some cockamaimee reason there are problems using PHP/LDAP with W2003Server. To be sure, I found plenty of evidence that all was well prior to W2003Server, there are many posts web wide about how well it was working with W2KServer, etc. Does anyone know how I can fix this without having our Windows folks do something to the server which will undoubtedly hose things up? I vaguely recall you couldn't do an anonymous bind to an active directory system - you had to properly authenticate before you could do a search. You didn't include the bind stuff so I can't tell if that's the problem :) -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and a pain in my neck
André Medeiros wrote: Check your webserver logs. If PHP couldn't use the extension, it will accuse that in the logs. probably the best use of the word 'accuse' ever (with a slight nod to commercials for Carlsberg lager :-) On 10/20/05, Jay Blanchard [EMAIL PROTECTED] wrote: [snip] Call to undefined function: ldap_connect() What am I missing? TIA. Did you uncomment (and properly define) the 'extension_dir' directive in your php.ini? [/snip] Yep. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and a pain in my neck
On 10/20/05, Jay Blanchard [EMAIL PROTECTED] wrote: Farking windoblows environment! The extension is uncommented, I have OpenLDAP for W2k installed and running, the dll's have been copied to the proper place and I execute a test and get Call to undefined function: ldap_connect() What am I missing? TIA. Did you uncomment (and properly define) the 'extension_dir' directive in your php.ini? -- Greg Donald Zend Certified Engineer MySQL Core Certification http://destiney.com/
RE: [PHP] LDAP and a pain in my neck
[snip] Call to undefined function: ldap_connect() What am I missing? TIA. Did you uncomment (and properly define) the 'extension_dir' directive in your php.ini? [/snip] Yep. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and a pain in my neck
Check your webserver logs. If PHP couldn't use the extension, it will accuse that in the logs. On 10/20/05, Jay Blanchard [EMAIL PROTECTED] wrote: [snip] Call to undefined function: ldap_connect() What am I missing? TIA. Did you uncomment (and properly define) the 'extension_dir' directive in your php.ini? [/snip] Yep. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php ldap
Santosh Jambhlikar wrote: Hi , I have a ldap server the user password are stored in that. my php ldasearch result says that the result is ldap user password : {SMD5}eRuT8dttD6M6N6tgMJF33/TNAvc= i want to compare this password with the user given password in other application (obviously php) but when i md5(passwordgiven) then it is showing different output. Any suggestions. MD5 and SMD5 are not the same type of encryption. md5() will not return the correct results. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php ldap
then can i output the SMD5 of my password in php. Jeff Loiselle wrote: Santosh Jambhlikar wrote: Hi , I have a ldap server the user password are stored in that. my php ldasearch result says that the result is ldap user password : {SMD5}eRuT8dttD6M6N6tgMJF33/TNAvc= i want to compare this password with the user given password in other application (obviously php) but when i md5(passwordgiven) then it is showing different output. Any suggestions. MD5 and SMD5 are not the same type of encryption. md5() will not return the correct results. -- Santosh Jambhlikar Linux Administrator Cash-Tech Solutions Pride Parmar Galaxy, Pune Maharashtra. Ph. O.:- 56052000 ext. 2150 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php ldap
Santosh Jambhlikar [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] then can i output the SMD5 of my password in php. Jeff Loiselle wrote: Santosh Jambhlikar wrote: Hi , I have a ldap server the user password are stored in that. my php ldasearch result says that the result is ldap user password : {SMD5}eRuT8dttD6M6N6tgMJF33/TNAvc= i want to compare this password with the user given password in other application (obviously php) but when i md5(passwordgiven) then it is showing different output. Any suggestions. You could try to bind to the server using ldap_bind with the supplied password. That will check if it is valid or not. MD5 and SMD5 are not the same type of encryption. md5() will not return the correct results. -- Santosh Jambhlikar Linux Administrator Cash-Tech Solutions Pride Parmar Galaxy, Pune Maharashtra. Ph. O.:- 56052000 ext. 2150 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php ldap
$ldaprdn = 'user'; $ldappass = 'userpass'; $ldapconn = ldap_connect(ldap.mydomain.com) or die(Could not connect to LDAP server.); if ($ldapconn) { $ldapbind = ldap_bind($ldapconn,$ldaprdn, $ldappass); if ($ldapbind) { echo LDAP bind successful...; } else { echo LDAP bind failed...; } } this program is giving me *Invalid DN syntax* error. what's wrong? cn for the the user is user Mark Rees wrote: Santosh Jambhlikar [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] then can i output the SMD5 of my password in php. Jeff Loiselle wrote: Santosh Jambhlikar wrote: Hi , I have a ldap server the user password are stored in that. my php ldasearch result says that the result is ldap user password : {SMD5}eRuT8dttD6M6N6tgMJF33/TNAvc= i want to compare this password with the user given password in other application (obviously php) but when i md5(passwordgiven) then it is showing different output. Any suggestions. You could try to bind to the server using ldap_bind with the supplied password. That will check if it is valid or not. MD5 and SMD5 are not the same type of encryption. md5() will not return the correct results. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: Re: [PHP] Re: php ldap]
this program is giving me *Invalid DN syntax* error. what's wrong? cn for the the user is user the DN should look like this cn={username},..., dc={yourdomain}, dc={TLD} ask your admin for further options... cheers Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: Re: [PHP] Re: php ldap] soory...
this program is giving me *Invalid DN syntax* error. what's wrong? cn for the the user is user the DN should look like this uid={username},..., dc={yourdomain}, dc={TLD} ask your admin for further options... cheers Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php ldap
that looks good, i think you should better use uid instead of cn... btw, i mentioned some authentication-problem earlier in this list. take a look at the php-manual @ ldap_bind() for a workaround if the same thing is happening to you (testscript works fine, loginscript does not !?!)... You'll find a function there by [EMAIL PROTECTED] which might help you out So should i give $ldaprdn = 'cn=user,ou=Users,dc=mydomain,dc=com'; sorry for that delayed reply... being at work now :) Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php ldap
thanks bartels, ldap_bind is working find i just used uid instead of cn. :) Björn Bartels wrote: that looks good, i think you should better use uid instead of cn... btw, i mentioned some authentication-problem earlier in this list. take a look at the php-manual @ ldap_bind() for a workaround if the same thing is happening to you (testscript works fine, loginscript does not !?!)... You'll find a function there by [EMAIL PROTECTED] which might help you out So should i give $ldaprdn = 'cn=user,ou=Users,dc=mydomain,dc=com'; sorry for that delayed reply... being at work now :) Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- Santosh Jambhlikar Linux Administrator Cash-Tech Solutions Pride Parmar Galaxy, Pune Maharashtra. Ph. O.:- 56052000 ext. 2150 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP problem
On Wed, August 24, 2005 12:47 pm, Björn Bartels wrote:        $binddn  'uid='.$username.',ou=users,ou=OxObjects,dc=dbusiness,dc=de'; Either you're missing an = sign here, or my eyesight is getting worse than I thought... :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP problem
Hello, Richard... How long does it take to fail? I get the answer immidiatly (0-1sec.)... Is there some sort of permission system in LDAP which allows one to connect, but not to bind? Only clients from 192.168.* are allowed to bind, i guess... These are just guesses from a VERY limited knowlege of LDAP. You'll probably get much better answers shortly. :-) Yup, as is mine... :) Just for testing, can you install the same LDAP script on the same computer that has the LDAP server that currently doesn't work? If the computer can't connect/bind to itself, but the same PHP script works on the OTHER box where it can connect/bind to itself, you can be pretty certain it's an LDAP configuration error on that particular LDAP server, not something actually in your PHP or the networking. The script rely on the same maschine and even command line actions don't fail... Also, our admin checked its configurations but everything is fine. -- Like Music? Defenetly, I'm a drummer... :) Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP problem
On Tue, August 23, 2005 11:59 pm, Björn Bartels wrote: I built a test script with help from the manual which authenticates a user and does a simple test query (cn=*). the test script works fine, no matter what protocol version it uses, on any (internal) client computer. The problem occurs when I built the same lines into my intranet-app. After connecting successfully to the server (ldap_connect) the script is unable to bind to server (ldap_bind - cannot contact server...). LDAP works fine all the way, we are using OpenXchange... How long does it take to fail? If it takes about 30 seconds from when you run the script for the error message to appear, that usually indicates that the DNS is somehow messed up, and it's timing out. Though I guess you'd see that with ldap_connect() and not ldap_bind()... Is there some sort of permission system in LDAP which allows one to connect, but not to bind? Sort of like in MySQL you might be able to mysql_connect() but if you don't have any rights to a particular database, mysql_select_db() will fail. These are just guesses from a VERY limited knowlege of LDAP. You'll probably get much better answers shortly. :-) Just for testing, can you install the same LDAP script on the same computer that has the LDAP server that currently doesn't work? If the computer can't connect/bind to itself, but the same PHP script works on the OTHER box where it can connect/bind to itself, you can be pretty certain it's an LDAP configuration error on that particular LDAP server, not something actually in your PHP or the networking. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP problem
How long does it take to fail? I get the answer immidiatly (0-1sec.)... Are you sure you are connecting? As in, do you only try to bind if you have a successful connection? Have you checked ldap_error? Are you doing an anonymous bind, or using a username and password? Try each and see what happens How about posting some code? I have just spent several days trying on and off to work out LDAP, from a starting position of what's LDAP?. Good luck Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP problem
Hello Mark, first of all, thank you (all) a lot for your contributions... Are you sure you are connecting? As in, do you only try to bind if you have a successful connection? (...) I try to bind only when the connection itself is established... Have you checked ldap_error? Can't contact LDAP server, it says Are you doing an anonymous bind, or using a username and password? Try each and see what happens Both methods fail regarding my login-script, again, the test script works fine on both. How about posting some code? ...sorry... here they come, first the testscript and then the extract from the login script $ldaphost = $_REQUEST[ldaphost]; $ldapport = $_REQUEST[ldapport]; $ds = ldap_connect($ldaphost, $ldapport) or die(Could not connect to $ldaphost.br /); if (ldap_get_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version)) echo Sie benutzen die Protokollversion $version.br /; else echo Protokollversion konnte nicht bestimmt werden.br /; if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) echo Verwenden von LDAPv3.br /; else echo Kann das Protokoll nicht auf Version 3 setzen.br /; if ($ds) { $username = $_REQUEST[ldapuser]; $binddn = 'uid='.$username.', ou=users, ou=OxObjects, dc=dbusiness, dc=de'; $ldapbind = ldap_bind($ds, $binddn, $_REQUEST[ldappass]); if ($ldapbind) { print Congratulations! You are authenticated. br /; print .$_REQUEST[ldapuser];} else { print Nice try, kid. Better luck next time! br /; } } Here is the login part, as you see it does not differ much from the testscript... if (!empty($_REQUEST[IO_username])) { $ldaphost = LDAP_HOST; $ldapport = LDAP_PORT; $ds = ldap_connect($ldaphost, $ldapport) or die(Could not connect to $ldaphost.\n); if (ldap_get_option($ds, LDAP_OPT_PROTOCOL_VERSION, $version)) echo Sie benutzen die Protokollversion $version.\n; else echo Protokollversion konnte nicht bestimmt werden.\n; if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) echo Verwenden von LDAPv3.\n; else echo Kann das Protokoll nicht auf Version 3 setzen.\n; if ($ds) { $username = $_REQUEST[IO_username]; $upasswd = $_REQUEST[IO_password]; $binddn = 'uid='.$username.',ou=users,ou=OxObjects,dc=dbusiness,dc=de'; $ldapbind = ldap_bind($ds, $binddn, $upasswd); if ($ldapbind) { print User is authenticated... \n; print .$binddn.\n; $DB_checkuserid-query(SELECT * FROM users_users WHERE username='.$HTTP_POST_VARS[IO_username]. ' AND password='.$HTTP_POST_VARS[IO_password].';); if ($DB_checkuserid-rows == 1) { $thisuser = $DB_checkuserid-fetch(0); $HTTP_SESSION_VARS[userid] = $HTTP_POST_VARS[IO_username]; $HTTP_SESSION_VARS[userfullname] = $thisuser[fullname]; $HTTP_SESSION_VARS[usergroupid] = $thisuser[groupid]; } } else { var_dump($ds);print br /\n; var_dump($ldapbind);print br /\n; print Error: .ldap_error($ds). br /\n; print DN: .$binddn. br /\n; print pwd: .$upasswd. br /\n; print Nice try, kid. Better luck next time! br /; die (LDAP authentication error! Check username and/or password !); } } else { print Nice try, kid. Better luck next time! br /; die (LDAP connection error! Please inform the administrator !); } } I have just spent several days trying on and off to work out LDAP, from a starting position of what's LDAP?. I had the same problem with the testscript once, then left it off several days/some weeks satisfying my boss with a mySQL-based login. now the testscript works without doing any changes... Björn Bartels -Development/IT-Services- -- dbusiness.de gmbh digital business printing gmbh Greifswalder Str. 152 D-10409 Berlin Fon: [0.30] 4.21.19.95 Fax: [0.30] 4.21.19.74 www.dbusiness.de [EMAIL PROTECTED] ftp://dbusiness.dyndns.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and .htaccess
Bret Walker wrote: Hello all- I am looking for a way to protect a directory's contents by authenticating against Active Directory via LDAP. I currently have a nice little php script that tries to bind to LDAP via a username and password entered in a form. If it fails to bind, the user is denied access. If it succeeds in binding, it then checks to make sure the user is part of a specified group. It works wonderfully, but the problem I've run in to (obviously) is that the plain files (.pdf, images, etc) are not protected in any manner. I know you can use php to authenticate against a .htaccess file, and that you can use mod_auth_ldap (I'm using apache 1.3) to authenticate against LDAP. I would like to avoid using mod_auth_ldap if possible because it requires credentials to be stored in it, thus making the code less portable and more insecure. auth_ldap doesn't require credentials to be stored in the .htaccess file or anywhere else. It can work the same way as you described your php login page (even supports group lookups). Is there any way to use some type of php trickery to protect all of the contents of a given directory? store the files outside of the directory and use something like download.php?file=readme.txt to serve them. Kenny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and .htaccess
Well, the download.php script would allow me to protect certian files, but is there a way to protect all files? For example, images that I would like to include in my php pages. Could I silently pass a username and password to htaccess? Can htaccess be set to use a php script instead of a htpasswd file? Thanks, Bret Kenny Austin wrote: Bret Walker wrote: Hello all- I am looking for a way to protect a directory's contents by authenticating against Active Directory via LDAP. I currently have a nice little php script that tries to bind to LDAP via a username and password entered in a form. If it fails to bind, the user is denied access. If it succeeds in binding, it then checks to make sure the user is part of a specified group. It works wonderfully, but the problem I've run in to (obviously) is that the plain files (.pdf, images, etc) are not protected in any manner. I know you can use php to authenticate against a .htaccess file, and that you can use mod_auth_ldap (I'm using apache 1.3) to authenticate against LDAP. I would like to avoid using mod_auth_ldap if possible because it requires credentials to be stored in it, thus making the code less portable and more insecure. auth_ldap doesn't require credentials to be stored in the .htaccess file or anywhere else. It can work the same way as you described your php login page (even supports group lookups). Is there any way to use some type of php trickery to protect all of the contents of a given directory? store the files outside of the directory and use something like download.php?file=readme.txt to serve them. Kenny -- Bret Walker Technical Support Consultant Medill School of Journalism Northwestern University 847-467-7845 847-491-2370 fax [EMAIL PROTECTED] http://www.it.medill.northwestern.edu/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [PHP] LDAP and .htaccess
Bret Walker wrote: I'm not too sure, but it seems to be having an effect you any text showing up in your emails. John Hinton -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[Fwd: Re: [PHP] LDAP and .htaccess]
Re: John Hinton Perhaps my S/MIME cert. was preventing the text from coming through. This message is unsigned. Bret Original Message Subject: Re: [PHP] LDAP and .htaccess Date: Wed, 27 Apr 2005 14:08:14 -0500 From: Bret Walker [EMAIL PROTECTED] To: php-general@lists.php.net References: [EMAIL PROTECTED] [EMAIL PROTECTED] Well, the download.php script would allow me to protect certian files, but is there a way to protect all files? For example, images that I would like to include in my php pages. Could I silently pass a username and password to htaccess? Can htaccess be set to use a php script instead of a htpasswd file? Thanks, Bret Kenny Austin wrote: Bret Walker wrote: Hello all- I am looking for a way to protect a directory's contents by authenticating against Active Directory via LDAP. I currently have a nice little php script that tries to bind to LDAP via a username and password entered in a form. If it fails to bind, the user is denied access. If it succeeds in binding, it then checks to make sure the user is part of a specified group. It works wonderfully, but the problem I've run in to (obviously) is that the plain files (.pdf, images, etc) are not protected in any manner. I know you can use php to authenticate against a .htaccess file, and that you can use mod_auth_ldap (I'm using apache 1.3) to authenticate against LDAP. I would like to avoid using mod_auth_ldap if possible because it requires credentials to be stored in it, thus making the code less portable and more insecure. auth_ldap doesn't require credentials to be stored in the .htaccess file or anywhere else. It can work the same way as you described your php login page (even supports group lookups). Is there any way to use some type of php trickery to protect all of the contents of a given directory? store the files outside of the directory and use something like download.php?file=readme.txt to serve them. Kenny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and .htaccess
Bret Walker wrote: Well, the download.php script would allow me to protect certian files, but is there a way to protect all files? For example, images that I would like to include in my php pages. you can serve images through through download.php.. but that's just a bad idea :) Could I silently pass a username and password to htaccess? Can htaccess be set to use a php script instead of a htpasswd file? why are your username/passwords safer in script.php then .htpasswd? I still think your best route would be auth_ldap. If you directory server doesn't allow anonymous searches, have the admin create a low privileged account that only has access to search the required attributes. Kenny -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and .htaccess
On Wed, April 27, 2005 12:08 pm, Bret Walker said: Well, the download.php script would allow me to protect certian files, but is there a way to protect all files? For example, images that I would like to include in my php pages. As noted, you could put your images outside the webtree and then use PHP to serve them all up. You would want to do this only for images you really cared about, probably, for performance reasons. Could I silently pass a username and password to htaccess? Can htaccess be set to use a php script instead of a htpasswd file? Search http://php.net/ for HTTP Authentication. You'll find a PHP script that sends the same headers as .htaccess/htpasswd, and then you can use LDAP there, or MySQL or whatever you want. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and referrals
Whoops. For some reason I've attached the wrong file. Here's the correct one. Cajus #!/usr/bin/php4 -q ?php # T E S T - V A R I A B L E S ## $server= localhost; $filter= (uid=*); $base = dc=example,dc=net; F U N C T I O N S # function get_additional_error($res) { $error= ; ldap_get_option ($res, LDAP_OPT_ERROR_STRING, $error); return ($error); } function get_error($res) { $error= ldap_error($res); if ($error == 'Success'){ return success; } else { $adderror= get_additional_error($res); if ($adderror != ){ $error= $error. (.get_additional_error($res).); } return $error; } } function rebind($ldap, $referral) { $server= preg_replace('!^(ldap://[^/]+)/.*$!', '\\1', $referral); if (!($ds= ldap_connect($server))){ echo reconnect failed - ; return ($ldap); } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 1); ldap_set_rebind_proc($lds, rebind); if (!ldap_bind($ds)){ echo rebind failed - ; return ($ldap); } echo rebind to $server - ; return ($ds); } # M A I N # echo Opening connection to $server - ; $ds= @ldap_connect($server); if ($ds) { echo success\n; echo Setting up link parameters - ; ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 1); echo get_error($ds).\n; echo Setting rebind proc - ; ldap_set_rebind_proc($ds, rebind); echo get_error($ds).\n; echo Binding - ; if (!($r= @ldap_bind($ds))){ echo get_error($ds).\n\n; exit (2); } echo success\n; } else { echo get_error($ds).\n\n; exit (1); } echo Performing search with base '$base' and filter '$filter'\n; echo * starting search - ; $sr= @ldap_search($ds, $base, $filter, array('uid', 'cn'), 0, 0, 0, LDAP_DEREF_ALWAYS); echo get_error($ds).\n; if (!$sr){ exit (3); } $info= ldap_get_entries($ds, $sr); echo * getting entries - ; echo get_error($ds).\n; if (!$info){ exit (4); } for ($n= 0; $n=$info['count']; $n++){ if (!isset($info[$n]['uid'][0])){ continue; } echo .$info[$n]['dn'].\n; } echo Closing connection...\n; ldap_close($ds); ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP Group query examples?
On Tue, 10 Aug 2004 11:26:07 -0600 (MDT), Sam Evans [EMAIL PROTECTED] wrote: Hello.. I am wondering if someone could point me in the general direction of some examples which show how to query an LDAP group for user membership? Use Softerra LDAP browser to look at the groups and figure out the path you need to access them, then use PHP's LDAP functions to query. http://www.ldapadministrator.com/download/index.php Thanks, Sam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- DB_DataObject_FormBuilder - The database at your fingertips http://pear.php.net/package/DB_DataObject_FormBuilder paperCrane --Justin Patrin-- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP LDAP query - need to add Exchange fields
Ben, I was trying the same thing, but I am not sure you are using the same setup as me. My office runs a windows 2000 domain with a Exchange server 2000 box. All profile information is stored in the windows 2000 domain controller, and the exchange server accesses the information from there. So it doesnt use its own LDAP. And to make it all the more interesting, this script is running on our Intranet, on a FreeBSD 5 box with the OpenLDAP client. The following script will bring back all the fields available in LDAP, as long as they are filled out. In this script you need to have a valid DOMAIN_USER and a valid DOMAIN_PASS. There are ways to do this anonymously, you just need to change the $ldap_bind line to remove the $ldaprdn and $ldappass. To change the search criteria, you can change the $filter variable, at the moment it filters on the domain user's userid, or samaccountname. At the bottom of this post, I have included search results based on my user, I have removed everything except the fields you might want. ? $ldapuser = DOMAIN_USER; $ldappass = DOMAIN_PASS; $ldaprdn = 'DOMAIN\\'.$ldapuser; $ldapconn = @ldap_connect(dns.domain.com, 3268); @ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); @ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); if ($ldapconn) { $ldapbind = @ldap_bind($ldapconn, $ldaprdn, $ldappass); } $base_dn = DC=dns,DC=domain,DC=com; $filter=samaccountname=$ldapuser; $read = ldap_search($ldapconn, $base_dn, $filter); $info = ldap_get_entries($ldapconn, $read); $ii=0; for ($i=0; $ii$info[$i][count]; $ii++){ $data = $info[$i][$ii]; echo $data.:nbsp;nbsp;.$info[$i][$data][0].br; } ? Hope it helps Phil Dowson Ben Crothers wrote: Hoping this is an easy question to answer, apologise upfront if this is so basic, but just been put in charge of a PHP app with LDAP interface to M$ Exchange, and trying to figure out how it works. At the moment it works fine and extracts fields like first- and surname, title, department, etc. I need to add the 'office' field, and added it at the end of this filter line: --- $filter = (|(sn=$search[$i]*)(givenname=$search[$i]*)(title=$search[$i]*)(department= $search[$i]*)(office=$search[$i]*)); ...but so far it's not working. I *know* there's data in the 'office' field -- any ideas as to what I'm missing? Thanks a lot in advance, Ben ---Field List--- homemdb: manager: memberof: altrecipientbl: publicdelegatesbl: streetaddress: info: cn: company: c: department: description: displayname: mail: facsimiletelephonenumber: givenname: initials: instancetype: legacyexchangedn: l: distinguishedname: objectcategory: objectclass: objectguid: objectsid: homephone: mobile: pager: physicaldeliveryofficename: postofficebox: postalcode: primarygroupid: proxyaddresses: name: samaccountname: samaccounttype: showinaddressbook: st: sn: telephonenumber: co: textencodedoraddress: title: useraccountcontrol: userprincipalname: usnchanged: usncreated: whenchanged: whencreated: wwwhomepage: mailnickname: msexchuseraccountcontrol: deliverandredirect: homemta: msexchhomeservername: msexchmailboxguid: msexchmailboxsecuritydescriptor: mdbusedefaults: protocolsettings: ---Field List--- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP support...
OK this is lame, but I'm posting a reply straight after the message hits my box... I'm running debian and have apt-get php and openldap. openldap works, as does php. I'm now working with the ldap functions and here is where I'm stuck. apt-cache search php4 what turns up? php4-ldap I've installed the package, restarted apache but still not joy.. :( Pete -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP support...
Peter Lavender wrote: OK this is lame, but I'm posting a reply straight after the message hits my box... I'm running debian and have apt-get php and openldap. openldap works, as does php. I'm now working with the ldap functions and here is where I'm stuck. apt-cache search php4 what turns up? php4-ldap I've installed the package, restarted apache but still not joy.. :( Pete I'd suggest posting this to a debian group as well - perhaps first next time if there's another problem. They don't like people dispelling the 'apt-get install solves it all' myth in non-debian circles. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
Tony Earnshaw wrote: frame. To do this, PHP needs to be fed 'header(Content-type: image/jpeg)'. This can be put more or less anywhere in the very short script used for showing the jpeg and works. However, if I try to put any more html code into the script, i.e. 'print html';, print 'body'; etc, *anywhere*, I get a headers already sent error. So I can't The headers must be the first thing that is sent to the browser. Do all your other html afterwards, or use output buffering. HTH Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
I can show a jpeg using a href with a target, either in a new page or a frame. To do this, PHP needs to be fed 'header(Content-type: image/jpeg)'. This can be put more or less anywhere in the very short script used for showing the jpeg and works. However, if I try to put any more html code into the script, i.e. 'print html';, print 'body'; etc, *anywhere*, I get a headers already sent error. You can not put any html code with image code. If you send some html you mean to send header(Content-Type: text/html) with header(Content-type: image/jpeg) Where do you want go to ? You can do so: There is on the page http://xxx/user.html?name=smith some html code where a user can act. Among the html code you insert img src=http://xxx/userfoto.html?name=smith; On http://xxx/userfoto.html you send header(Content-type: image/jpeg) and the image content and no html code. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
tor, 2002-11-14 kl. 11:14 skrev Chris Hewitt: frame. To do this, PHP needs to be fed 'header(Content-type: image/jpeg)'. This can be put more or less anywhere in the very short script used for showing the jpeg and works. However, if I try to put any more html code into the script, i.e. 'print html';, print 'body'; etc, *anywhere*, I get a headers already sent error. So I can't The headers must be the first thing that is sent to the browser. Do all your other html afterwards, or use output buffering. Thanks for the answer, Chris. I realise this, but that just does not work - been there, seen it, done it. Wherever (even as 1st line) *any* PHP4 header stuff is put in the script, adding html code later results in the same headers already sent error. That's why I asked for a workaround, by name. Best, Tony -- Tony Earnshaw Cricketers are strange people. They wake up in October, only to find that their wives had left them in May. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
Why can u not do a page that displays the images as img src? That should work for ya...instead of sending the headers. Are u saving the image in the ldap server? On Thu, 2002-11-14 at 09:27, Tony Earnshaw wrote: People, I'm trying to produce a book of mugs (a 'mug' is a 'face') for people at work to be able to manage and change, as far as they are allowed to, their own personal details in the org's directory database. It's based on PHP 4.2.3/Apache and Openldap 2.1.8 and above and/or Novell eDirectory NLDAP 8.0 or above. One of the things I have to do, is show and change jpeg photos from the user's browser. Browsers are the latest IE, Netscape or Mozilla. No problem with that, only a problem with the following (Code sample below): I can show a jpeg using a href with a target, either in a new page or a frame. To do this, PHP needs to be fed 'header(Content-type: image/jpeg)'. This can be put more or less anywhere in the very short script used for showing the jpeg and works. However, if I try to put any more html code into the script, i.e. 'print html';, print 'body'; etc, *anywhere*, I get a headers already sent error. So I can't include code for changing the BGCOLOR, sizing the image or anything like that. Anybody know a workaround? I've cheesed as much code as i can from the recoginized tools, such as LDAPExplorer, John Hallam's magnificent yet not widely known contrib. and the Wrox books, but none of them even attempts to address what I want. Best, Tony P.s., thanks for what is probably the most *patient minded* and catholic mailing list on the Internet, and all the good advice. ?php // Code to show a jpeg from an attribute sent on a previous page // $headers = getallheaders(); // foreach ($headers as $name = $content) { //echo headers[$name] = $contentbr\n; // } $ds=ldap_connect($Host, $Port); if ($ds) { @$r=ldap_bind($ds); if ($r) { @$these_attrs = array($Attribute); @$result = ldap_search($ds, $BaseDN, $target, $these_attrs); if ($result) { @$result_id = ldap_first_entry($ds, $result); if ($result_id) { @$foto=ldap_get_values_len($ds, $result_id, $Attribute); header(Content-type:image/jpeg); print $foto[0]; } } } } ? -- Tony Earnshaw Cricketers are strange people. They wake up in October, only to find that their wives had left them in May. e-post: [EMAIL PROTECTED] www: http://www.billy.demon.nl -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
This is how I do it. I create a php page that gets the image and sends the correct header. Then in my other php page that displays the details about a user i call img src=showperson.php?name=$fullname. Then in showperson i send the correct image headers and the image is displayed properly. HTH... On Thu, 2002-11-14 at 10:50, Krzysztof Dziekiewicz wrote: I can show a jpeg using a href with a target, either in a new page or a frame. To do this, PHP needs to be fed 'header(Content-type: image/jpeg)'. This can be put more or less anywhere in the very short script used for showing the jpeg and works. However, if I try to put any more html code into the script, i.e. 'print html';, print 'body'; etc, *anywhere*, I get a headers already sent error. You can not put any html code with image code. If you send some html you mean to send header(Content-Type: text/html) with header(Content-type: image/jpeg) Where do you want go to ? You can do so: There is on the page http://xxx/user.html?name=smith some html code where a user can act. Among the html code you insert img src=http://xxx/userfoto.html?name=smith; On http://xxx/userfoto.html you send header(Content-type: image/jpeg) and the image content and no html code. -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
tor, 2002-11-14 kl. 11:14 skrev Chris Hewitt: The headers must be the first thing that is sent to the browser. Do all your other html afterwards, or use output buffering. Please nobody else bother, it's my own stupid fault for not knowing enough. I'm halfway there, output buffering will prove to be the answer and like everything else with PHP it's a question of reading and practicing. I'm an OS man rather than a programmer. Best and thanks, Tony -- Tony Earnshaw Cricketers are strange people. They wake up in October, only to find that their wives had left them in May. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP specific?
tor, 2002-11-14 kl. 11:50 skrev Krzysztof Dziekiewicz: You can not put any html code with image code. If you send some html you mean to send header(Content-Type: text/html) with header(Content-type: image/jpeg) Where do you want go to ? You can do so: There is on the page http://xxx/user.html?name=smith some html code where a user can act. Among the html code you insert img src=http://xxx/userfoto.html?name=smith; On http://xxx/userfoto.html you send header(Content-type: image/jpeg) and the image content and no html code. tor, 2002-11-14 kl. 09:20 skrev BigDog: I create a php page that gets the image and sends the correct header. Then in my other php page that displays the details about a user i call img src=showperson.php?name=$fullname. Then in showperson i send the correct image headers and the image is displayed properly. HTH... __ These are the answer. Bless you both, pretty sirs. Best, Tony -- Tony Earnshaw Cricketers are strange people. They wake up in October, only to find that their wives had left them in May. e-post: [EMAIL PROTECTED] www:http://www.billy.demon.nl -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
So you are connecting via ldaps://host in the ldap_connect function right? then when you bind make sure you are using the appropriate rdn for that ldap server. That is probably why u are getting a No such Object error. On Wed, 2002-11-13 at 00:19, Karim Jafarmadar wrote: thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- Thank you, Ray Hunter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
On 12 Nov 2002 17:24:38 + Ray Hunter [EMAIL PROTECTED] wrote: So you are connecting via ldaps://host in the ldap_connect function right? then when you bind make sure you are using the appropriate rdn for that ldap server. do i have to use another rdn, than when connecting via ldap://? i mean, i give the same parameters to the bind function in both methodes (ldap, ldaps), but get those different error messages. That is probably why u are getting a No such Object error. On Wed, 2002-11-13 at 00:19, Karim Jafarmadar wrote: thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- Thank you, Ray Hunter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
You have two problems it seems. 1. Wrong connection security...now you are using ldaps 2. Now you have the incorrect rdn. when you tried it with ldap you could not even pass the rdn because the encryption was not sufficient. Now you have the encryption down and now it seems that the rdn is wrong. Try fixing that and see what happens... On Wed, 2002-11-13 at 00:30, Karim Jafarmadar wrote: On 12 Nov 2002 17:24:38 + Ray Hunter [EMAIL PROTECTED] wrote: So you are connecting via ldaps://host in the ldap_connect function right? then when you bind make sure you are using the appropriate rdn for that ldap server. do i have to use another rdn, than when connecting via ldap://? i mean, i give the same parameters to the bind function in both methodes (ldap, ldaps), but get those different error messages. That is probably why u are getting a No such Object error. On Wed, 2002-11-13 at 00:19, Karim Jafarmadar wrote: thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- Thank you, Ray Hunter -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
On 12 Nov 2002 17:33:35 + BigDog [EMAIL PROTECTED] wrote: You have two problems it seems. 1. Wrong connection security...now you are using ldaps 2. Now you have the incorrect rdn. Oh .. i get it you mean the second error is due to a ldap/nds problem but i got the connection right when you tried it with ldap you could not even pass the rdn because the encryption was not sufficient. Now you have the encryption down and now it seems that the rdn is wrong. Try fixing that and see what happens... ok .. that was the problem i now get an operations error .. but since i am already connected, i hope i can figure it out by myself thank you !! karim jafarmadar On Wed, 2002-11-13 at 00:30, Karim Jafarmadar wrote: On 12 Nov 2002 17:24:38 + Ray Hunter [EMAIL PROTECTED] wrote: So you are connecting via ldaps://host in the ldap_connect function right? then when you bind make sure you are using the appropriate rdn for that ldap server. do i have to use another rdn, than when connecting via ldap://? i mean, i give the same parameters to the bind function in both methodes (ldap, ldaps), but get those different error messages. That is probably why u are getting a No such Object error. On Wed, 2002-11-13 at 00:19, Karim Jafarmadar wrote: thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- Thank you, Ray Hunter -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] ldap strong authentication
Check the documentation on the openldap and see what you need to use for the rdn.. if you are running gnome you might want to test it out with gq. That is what i use to test out my connection and stuff with... On Wed, 2002-11-13 at 00:44, Karim Jafarmadar wrote: On 12 Nov 2002 17:33:35 + BigDog [EMAIL PROTECTED] wrote: You have two problems it seems. 1. Wrong connection security...now you are using ldaps 2. Now you have the incorrect rdn. Oh .. i get it you mean the second error is due to a ldap/nds problem but i got the connection right when you tried it with ldap you could not even pass the rdn because the encryption was not sufficient. Now you have the encryption down and now it seems that the rdn is wrong. Try fixing that and see what happens... ok .. that was the problem i now get an operations error .. but since i am already connected, i hope i can figure it out by myself thank you !! karim jafarmadar On Wed, 2002-11-13 at 00:30, Karim Jafarmadar wrote: On 12 Nov 2002 17:24:38 + Ray Hunter [EMAIL PROTECTED] wrote: So you are connecting via ldaps://host in the ldap_connect function right? then when you bind make sure you are using the appropriate rdn for that ldap server. do i have to use another rdn, than when connecting via ldap://? i mean, i give the same parameters to the bind function in both methodes (ldap, ldaps), but get those different error messages. That is probably why u are getting a No such Object error. On Wed, 2002-11-13 at 00:19, Karim Jafarmadar wrote: thanks for your reply the whole error message is Warning: LDAP: Unable to bind to server: Strong authentication required and when i connect via SSH its something like that Warning: LDAP: Unable to bind to server: No such Object in ... i am running this thing on a debian box with php4 and openldap-tls installed bye karim jafarmadar On 12 Nov 2002 17:13:17 + BigDog [EMAIL PROTECTED] wrote: What type of strong authentication does it want? Do you need to connect via ssh or something... On Tue, 2002-11-12 at 22:13, Karim Jafarmadar wrote: hello I want to connect to a local NDS via LDAP, but when i try to bind i get the error: Unable to bind: Strong authentication required after i search in google and php.net manual i wonder if it is possible do connect with strong authentication any further suggenstions would be great tia karim jafarmadar -- .: B i g D o g :. -- Thank you, Ray Hunter -- .: B i g D o g :. -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP + Exchange
Yes, what are you looking for... On Fri, 2002-11-08 at 19:58, Raceeend wrote: Hello, Has anybody tried to connect to Exchange via LDAP? Because i would like some examples of this. kind regards, Martijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- .: B i g D o g :. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP + Exchange
Well i need to give some users access to user attributes of exchange to change these. .: B I G D O G :. wrote: Yes, what are you looking for... On Fri, 2002-11-08 at 19:58, Raceeend wrote: Hello, Has anybody tried to connect to Exchange via LDAP? Because i would like some examples of this. kind regards, Martijn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php