I'm trying to use IP.Board LDAP Login Handler; however, although the server connects and the query I perform is correct, I'm unable to login with a LDAP account. It throws the common "unknown username" error. The script connects successfully, because if I use wrong credentials it throws an authentication error in the LDAP settings page; this also happens if I force a ldap_search(): Search: Bad search filter or a ldap_search(): Search: Operations error when messing with the settings and trying to log in with an account in the Login Page. So the problem I believe should be somewhere else...
To test the settings I'm using, I have performed a successfully connection with the following code:
<?php
set_time_limit(30);
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);
// config
$ldapserver = 'server ip';
$ldapuser = 'username';
$ldappass = 'password';
$ldaptree = "OU=The,DC=path,DC=to,DC=users";
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
$result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
// SHOW ALL DATA
echo '<h1>Dump all data</h1><pre>';
print_r($data);
echo '</pre>';
// iterate over array and print data for each entry
echo '<h1>Show me the users</h1>';
for ($i=0; $i<$data["count"]; $i++) {
//echo "dn is: ". $data[$i]["dn"] ."<br />";
echo "User: ". $data[$i]["cn"][0] ."<br />";
if(isset($data[$i]["mail"][0])) {
echo "Email: ". $data[$i]["mail"][0] ."<br /><br />";
} else {
echo "Email: None<br /><br />";
}
}
// print number of entries found
echo "Number of entries found: " . ldap_count_entries($ldapconn, $result);
} else {
echo "LDAP bind failed...";
}
}
// all done? clean up
ldap_close($ldapconn);
?>
It renders the array completely, showing me the complete list of users belonging to that path and that should be enough for IPB to validate the information, isn't it?
Since the connection is actually successful but it doesn't locate an user, it doesn't generate any Log record about it.
I already checked the LDAP username's permissions exposed in this thread: https://serverfault.com/questions/167371/what-permissions-are-required-for-enumerating-users-groups-in-active-directory/167401 so the user has administrative rights and also can read those elements.
This is quite frustrating. Any advise?
I found the UID field required by IPB was CNin our LDAP setup. After correcting this small thing, I finally managed to perform the sync