0

I am trying to authenticate the email id and password using PHP LDAP. Just I want to authenticate no need to access contacts or mails or calendars. Just need to confirm he is the valid user. Host name is correct. Port nos also correct. Please help. Please note my scenario

  1. my mail id is [email protected] and username is yyyyyy

  2. my mail is hosted and handled by Parent company (mail.parentcompany.com )

    $username = '[email protected]'; //If i use this line Unable to bind to server: Strong(er) authentication required 
$username = 'yyyyyy';//If i use this line Unable to bind to server: Invalid credentials
$username = '[email protected]' //If i use this line Unable to bind to server: Invalid credentials
$password = 'mypassword';
$ldap = ldap_connect("10.1.1.1",389)   ;  
if ($ldap) 
{   
   $ldapbind = ldap_bind($ldap,$username,$password );     
  if ($ldapbind) {
    echo "LDAP bind successful...";
 } else {
    echo "LDAP bind failed...";
 }

    }

Improve this question
3
  • 1
    What's your user's DN on the LDAP server? Without knowing that, you'll have a hard time getting this to work. Commented Dec 22, 2014 at 5:56
  • sorry @RobbyCornelissen .. you are asking Domain Component am i right ? Commented Dec 22, 2014 at 6:13
  • Nope. Distinguished name that uniquely identifies user on the LDAP server. Commented Dec 22, 2014 at 6:16

2 Answers 2

Reset to default
1

Let me get it right, your user enters his email and password, and you want to authenticate him based on this? The username you mentioned as yyyyyyy is your user for LDAP search connectivity? Or user enters yyyyyy as his username?

If your user enters email and password (only), usually to get it to work correctly you need a user that has search privileges on the directory (yyyyyy) that you are doing binding with if you want to look-up your end user by email (pay attention that you might get more than one record, if multiple accounts with same email allowed)

The general idea in this case is to bind with your application user to the directory, do an LDAP query for the DN of the user by his email, and then do additional binding to test the DN you found with the password provided by the user.

You should also check login structure, sometimes username should be prefixed with short domain like 'mydomain\username' for logging into the ldap.

Since there is no easy way to debug binding problems, I also use Wireshark/TCPDump to monitor the traffic to/from LDAP server (it is not SSL encrypted in my case) and I see what is exactly sent to and received from the server.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Just they will enter yyyyy as username and their password. I need to validate this user login credentials are correct or not. If they are correct I will return Success
You should also check login structure, sometimes username should be prefixed with short domain like 'mydomain\username' for logging into the ldap. Since there is no easy way to debug binding problems, I also use Wireshark/TCPDump to monitor the traffic to/from LDAP server (it is not SSL encrypted in my case) and I see what is exactly sent to and received from the server.
Regarding the DN comment by @RobbyCornelissen, your DN should look like: CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
0

Have a look at https://gist.github.com/heiglandreas/5689592. It's a simple ldap-bind example that shows how to authenticate a user against LDAP with any given attribute. Might help you also.

I'd also advise you to check whether the information you get back actually is what you expect by using a console-tool like 'ldapsearch'.

You can use that also to test the ldap-bind by providing credentials like ldapsearch -h <host> -D <bindDN> -W. The -W will prompt for the password of the user identified by <bindDN>

Improve this answer

2 Comments

hi @heiglandreas gist.github.com/5689592.git link is not working.. can u plz update the correct link
Sorry for the confusion. Just changed the link to the correct one!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.