Home » Php » PHP ldap – Strong(er) authentication required

PHP ldap – Strong(er) authentication required

Posted by: admin July 12, 2020 Leave a comment

Questions:

I have a PHP script which does a LDAP connect, bind and search. It is working very well with most of the Active Directory servers, however one of our clients has a problem. The script returns

Strong(er) authentication required.

error when trying ldap_bind.

All the searches I made directed me to two possible problems:

  1. I have to set LDAP_OPT_PROTOCOL_VERSION to 3 – which I do and did before, so this can not be my problem.
  2. The AD server is configured to use SSL authentication – but our client insists that it is a default Windows 2008 R2 server installation, and that does not default to SSL for sure.

What other causes could be for this error to happen?

UPDATE

It was SSL required on Active Directory server …

How to&Answers:

You have to use ldaps:// if it’s required by the Active Directory server. If it’s a problem with invalid certificate authority, you can ignore the validity in windows by issuing

putenv('LDAPTLS_REQCERT=never');

in your php code. In *nix you need to edit your /etc/ldap.conf to contain

TLS_REQCERT never

For other common problems, you can refer to my post at PHP cannot connect to LDAP Oracle Directory Server Enterprise Edition

For working example code, you can have a look at: Problems with secure bind to Active Directory using PHP

Answer:

I had the same problem and it seems that there was a typo in my bind_rdn, so make sure that the credentials are correct.

Answer:

The message “Strong(er) authentication required” appears also if you try to update a LDAP entity using :

  • ldap_modify
  • ldap_mod_replace
  • ldap_modify_batch

Without calling the bind function with the optional parameters :

 string $bind_rdn = NULL [, string $bind_password = NULL 

This code will not work:

$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = ldap_bind($ldap);

$userdata=array();
$userdata['userattribute'][0]='test';

ldap_modify ($ldap, "cn=myuser,dc=example,dc=com", $userdata);

This code works, note the different call to bind function:

$ldap = ldap_connect($ldap_url);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

$bind = ldap_bind($ldap,'cn=admin,dc=example,dc=com','secretpassword');

$userdata=array();
$userdata['userattribute'][0]='test';

ldap_modify ($ldap, "cn=myuser,dc=example,dc=com", $userdata);

Answer:

This answer seems to be full, although short. It covers two options on how to handle the error.