02 Nov 2006

Using PHP to connect to an Active Directory

I am looking into authenticating users on Solaris 9 via Active Directory (AD) as an LDAP server. To chop the problem into smaller problems I started to try and connect to the LDAP interface of the AD from a platform which I know. I’m no Solaris expert

So I installed Ubuntu edgy (server install from alternative CD) and a evaluation Windows 2003 R2 server in the free VMware Server product. Then I install an Active Directory (and a DNS server) on the Windows Server. The I tried to connect to the AD with PHP scripts to test how it worked. I found a good article on www.developer.com about PHP LDAP connections to AD. I also found an article about various handy LDAP search filters for Active Directory.

First create a normal Windows user in the AD which you use to connect to the AD with. You don’t need to add this user to any special groups to allow it to connect to the AD. Just a plain normal user. You might wanna disable password expiration if you are gonna use it in a production environment

The I made a php script on my Ubuntu server somewhat like the following:

#!/usr/bin/php

Trouble shooting

49: Invalid credentials

Remember when you tell PHP script which user you want to connect with, also supply the realm in which the user resides. In my test setup I used my own user je (Jacob Emcken), and my realm testdomain.com which means I’m connecting with to LDAP with the following user:

je@testdomain.com

1: Operations error

This error can come from to things:

1. You have used DN instead of DC in you distinct name:

   DN=testdomain,DN=com (didn't work for me)
   

   This worked for me:

   DC=testdomain,DC=com
   

2. You get this if you are trying to search the root of the tree and you haven’t set the following:

   ldap_set_option($ldap_connect_resource, LDAP_OPT_REFERRALS, 0);