LDAP login script is always returning authenticated

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
joeyh3
Forum Newbie
Posts: 2
Joined: Sat Oct 31, 2009 2:59 pm

LDAP login script is always returning authenticated

Post by joeyh3 »

I am writing a small PHP script for the company I work for, and my boss wants it to authenticate against the domain. I've never worked with domain authentication, so after some searching on Google, I found a few sample codes and came up with what follows.

Code: Select all

<?php
$ldap_server = "10.60.254.3";
$ldap_domain = "ACUSD";
$username = $_POST['name'];
$password = $_POST['pass'];
 
$ldapconn = ldap_connect($ldap_server);
$ldaprdn = $ldap_domain . "\\" . $username;
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $password);
 
if ($ldapbind) {
    echo "authenticated to domain controller";
} else {
    echo "failed to authenticated, check your username and password";
}
?>
However, it seems as if it always returns authenticated unless you enter a correct username and incorrect password. If I use an existing username and a blank password, it authenticates. If I use a made up (non-existing) username, it will return as authenticated. Even if I leave the username field completely blank, then it still returns as authenticated.

I tried this on two separate domains (both hosted on a Windows 2003 server), but neither of them worked. Does anyone know what I am doing wrong?

Also, is it possible to only look in one OU in the domain? We want users in accounts\staff to log in, but not users in accounts\students.
julzk
Forum Newbie
Posts: 23
Joined: Fri Oct 30, 2009 4:42 am

Re: LDAP login script is always returning authenticated

Post by julzk »

I've always used this:
http://adldap.sourceforge.net/
adLDAP script, it's easy to setup and very configurable.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: LDAP login script is always returning authenticated

Post by pickle »

ldap_bind() doesn't bind recursively, so if you only want users in one OU to authenticate, bind only to that one OU.

I've never used ldap with Active Directory (AD), just Novell Directory Services (NDS) - so your rdn syntax is a little different. However, as far as I can tell, everything is running like it should. Is it possible AD is allowing anonymous binding?

Go one step further & try to retrieve information from AD about the user you're supposedly bound as. If you can retrieve user information without providing a valid password, I'd suggest AD isn't set up properly. If you can't retrieve anything ever, then maybe AD is still set up incorrectly & is reporting a successful bind when in fact there wasn't one.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
joeyh3
Forum Newbie
Posts: 2
Joined: Sat Oct 31, 2009 2:59 pm

Re: LDAP login script is always returning authenticated

Post by joeyh3 »

Honestly, I didn't even think of trying to pull data from AD to see if it's allowed, that probably would help in the diagnosis. I'm gonna test that out tomorrow and see what happens. Thanks.
Post Reply