Page 1 of 1

LDAP login script is always returning authenticated

Posted: Sat Oct 31, 2009 3:10 pm
by joeyh3
I am writing a small PHP script for the company I work for, and my boss wants it to authenticate against the domain. I've never worked with domain authentication, so after some searching on Google, I found a few sample codes and came up with what follows.

Code: Select all

<?php
$ldap_server = "10.60.254.3";
$ldap_domain = "ACUSD";
$username = $_POST['name'];
$password = $_POST['pass'];
 
$ldapconn = ldap_connect($ldap_server);
$ldaprdn = $ldap_domain . "\\" . $username;
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $password);
 
if ($ldapbind) {
    echo "authenticated to domain controller";
} else {
    echo "failed to authenticated, check your username and password";
}
?>
However, it seems as if it always returns authenticated unless you enter a correct username and incorrect password. If I use an existing username and a blank password, it authenticates. If I use a made up (non-existing) username, it will return as authenticated. Even if I leave the username field completely blank, then it still returns as authenticated.

I tried this on two separate domains (both hosted on a Windows 2003 server), but neither of them worked. Does anyone know what I am doing wrong?

Also, is it possible to only look in one OU in the domain? We want users in accounts\staff to log in, but not users in accounts\students.

Re: LDAP login script is always returning authenticated

Posted: Sat Oct 31, 2009 4:06 pm
by julzk
I've always used this:
http://adldap.sourceforge.net/
adLDAP script, it's easy to setup and very configurable.

Re: LDAP login script is always returning authenticated

Posted: Mon Nov 02, 2009 11:01 am
by pickle
ldap_bind() doesn't bind recursively, so if you only want users in one OU to authenticate, bind only to that one OU.

I've never used ldap with Active Directory (AD), just Novell Directory Services (NDS) - so your rdn syntax is a little different. However, as far as I can tell, everything is running like it should. Is it possible AD is allowing anonymous binding?

Go one step further & try to retrieve information from AD about the user you're supposedly bound as. If you can retrieve user information without providing a valid password, I'd suggest AD isn't set up properly. If you can't retrieve anything ever, then maybe AD is still set up incorrectly & is reporting a successful bind when in fact there wasn't one.

Re: LDAP login script is always returning authenticated

Posted: Mon Nov 02, 2009 11:10 pm
by joeyh3
Honestly, I didn't even think of trying to pull data from AD to see if it's allowed, that probably would help in the diagnosis. I'm gonna test that out tomorrow and see what happens. Thanks.