Home » Php » Authenticating user with LDAP from PHP with only SamAccountName and Password?

Authenticating user with LDAP from PHP with only SamAccountName and Password?

Posted by: admin July 12, 2020 Leave a comment

Questions:

how can I authenticate from PHP using LDAP when I only have the SamAccountName and Password? Is there a way to bind with just SamAccountName and Password and without Distinguished Name. The only examples I have found assume you have the DN:

$server="XXX.XXX.XXX.XXX";
$dn = "cn=$username, "; 
$basedn="ou=users, ou=accounts, dc=domain, dc=com";

if (!($connect = ldap_connect($server))) { 
   die ("Could not connect to LDAP server"); 
} 

if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password))) {        
   die ("Could not bind to $dn"); 
} 

$sr = ldap_search($connect, $basedn,"$filter"); 
$info = ldap_get_entries($connect, $sr); 
$fullname=$info[0]["displayname"][0]; 
$fqdn=$info[0]["dn"]; 
How to&Answers:

This works for me. I spent many a days trying to figure this one out.

<?php

//We just need six varaiables here
$baseDN = 'CN=Users,DC=domain,DC=local';
$adminDN = "YourAdminDN";//this is the admin distinguishedName
$adminPswd = "YourAdminPass";
$username = 'Username';//this is the user samaccountname
$userpass = 'UserPass';
$ldap_conn = ldap_connect('ldaps://yourADdomain.local');//I'm using LDAPS here

if (! $ldap_conn) {
        echo ("<p style='color: red;'>Couldn't connect to LDAP service</p>");
    }
else {    
        echo ("<p style='color: green;'>Connection to LDAP service successful!</p>");
     }
//The first step is to bind the administrator so that we can search user info
$ldapBindAdmin = ldap_bind($ldap_conn, $adminDN, $adminPswd);

if ($ldapBindAdmin){
    echo ("<p style='color: green;'>Admin binding and authentication successful!!!</p>");

    $filter = '(sAMAccountName='.$username.')';
    $attributes = array("name", "telephonenumber", "mail", "samaccountname");
    $result = ldap_search($ldap_conn, $baseDN, $filter, $attributes);

    $entries = ldap_get_entries($ldap_conn, $result);  
    $userDN = $entries[0]["name"][0];  
    echo ('<p style="color:green;">I have the user DN: '.$userDN.'</p>');

    //Okay, we're in! But now we need bind the user now that we have the user's DN
    $ldapBindUser = ldap_bind($ldap_conn, $userDN, $userpass);

    if($ldapBindUser){
        echo ("<p style='color: green;'>User binding and authentication successful!!!</p>");        

        ldap_unbind($ldap_conn); // Clean up after ourselves.

    } else {
        echo ("<p style='color: red;'>There was a problem binding the user to LDAP :(</p>");   
    }     

} else {
    echo ("<p style='color: red;'>There was a problem binding the admin to LDAP :(</p>");   
} 
?>

Answer:

Actually, the answer is that it depends on how the LDAP server was configured by the admin. You don’t always need a DN to authenticate to an LDAP server. In my particular case, even with the DN, I still couldn’t authenticate to the LDAP server. For the LDAP server I was trying to connect, it appears it was a Microsoft Domain, and so I could only authenticate with DOMAIN\user015 for user015 in DOMAIN where user015 is a SamAccountName and DOMAIN is the domain for that user. But I was able to authenticate.

Thank you for all the posts! Even if they weren’t the correct answer, they did help a lot!

Answer:

Try [email protected] on dn… It worked for me!

Answer:

You always need a DN to authenticate to a LDAP server. After that, you can perform a filter based in a specific attribute, like SamAccountName, but you need an LDAP user identified by a DN.

Answer:

The LDAP interface to AD requires that you bind using a DN. In order to authenticate a user, you must first find that user’s DN — fortunately, you can find the DN by searching LDAP.

If you configure AD to allow anonymous queries (don’t do this unless you are sure you’re ok with the reduction in security), you can do

ldap_bind($connect, "", "")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

And then retrieve that user’s DN and proceed to rebind with the user’s DN and password.

If you do not enable anonymous bind, then you use an application ID to do the initial search, like so:

ldap_bind($connect, "DN=LDAP_App,OU=Users,DC=Domain,DC=com", "thePassword")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

And then, just as above, retrieve that user’s DN and proceed to rebind.