PHP and LDAP

I’m taking a break from my usual posting routine and topics because I’m currently working on my bachelors’ degree, but the fact that I spent what seems to me an unreasonable amount of time trying to do a routine setup for a directory server kind of made me want to post this.

Basically user management on a website is a subject of great debate nowadays, I don’t really want to get into it because it’s something I’m currently studying, suffice to say that if you can avoid having to keep and manage user credentials in your database then by all means, do it.

Normally I’d suggest OAuth because of its’ popularity, but because of the nature of my project (shhh, top secret) I went for a directory server instead, namely the Apache Directory Server.

Setting up the server itself wasn’t much of a problem, I just downloaded the Apache Directory Studio and clicked my way through the entire process, if you need a tutorial and can’t seem to find a decent one you can look here. My advice here would be don’t dive right in trying to figure it out on your own by randomly clicking stuff, it will confuse the shit out of you and it would be a pity to give up because Directory Servers are awesome, try and find some documentation and spend a few hours figuring the basics.

So let’s say we’re finished, the server is up and running, telnet localhost <server_port> works and gives you a protocol error when you try to type something etc. and now you have to use PHP to get data out of it. This  is where it gets awkward.

The first thing you have to know is that from what I can gather the PHP LDAP module gets its’ error messages from the server (list here) because if you have any other error it will happily spit out “Cannot connect to server” and be done with it. For instance I had a malformed search filter and that’s the error I got even though ldap_bind and ldap_connect both returned success.

Now first thing you have to know about the LDAP module is that you can’t really trust ldap_connect. It always returned “Success” even when the port was wrong, so here just so you know the proper way to use that function is this:

$connection = ldap_connect(LDAP_HOST,LDAP_PORT);

//example:

$connection = ldap_connect(“localhost”,389);

When you’re finished with that one, you have to use bind before you can get anything from the connection. This is the tricky part. If you get a Cannot connect to server here then there was something wrong with ldap_connect. Try to telnet to the server to see if it works and double check the ldap_connect parameters. If you get a Protocol Error, do not panic, it means it’s reached the server, but your library uses a different protocol version (most likely 2). You can solve this like so:

ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION, 3);

//optionally also use the following command to force the server not to tell to search

//on other ldap servers when giving an answer

ldap_set_option($this->connection, LDAP_OPT_REFERRALS, 0);

And then the bind:

$result = ldap_bind($connection,LDAP_RDN,LDAP_RDN_PASS);

If you don’t know what RDN means, then you are a naughty reader, head on over here.

And when that is done you can finally use ldap_search to get some data out of that server. Keep in mind that it won’t work unless you specify a filter and that an empty filter will make it spit out a Search: Cannot connect to server error, but other than that you should be fine now.

And that would be the end of the adventure. I’ll most likely update this post with weird behavior and what may cause generic errors to be thrown at runtime, but until then cheers.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s