adLDAP
adLDAP is a PHP class that provides LDAP authentication and integration with Active Directory.
How can i display all users under all OUs in active directory using adLDAP? I am using adLDAP of php.
Source: (StackOverflow)
I'm new to LDAP concepts and also now starting with adLDAP for PHP. Now everything is ok upto authentication.
Then how can i get the "Group Membership" (the Group Name where the member is existing) of a user after logged in, by knowing "only" the username and password ?
Source: (StackOverflow)
I've set up a system to display everyone's name, email address and phone number from Active Directory however I can't get the 'thumbailPhoto' to work.
I have searched around on the internet but haven't been able to find if this is possible or at the very least what format is returned from Active Directory.
I am currently using the adldap class so if it is possible to use this that would be ideal.
Thanks in advance.
Edit:
I can retrieve the data in the thumbnailPhoto attribute and if I dump them straight to the browser I get something like this:
ÿØÿàJFIFððÿá
PExifII*bh~†(2Ži‡¢XCanonCanon EOS 5D Mark
IIIðð2013:05:19 17:35:31š‚à‚è"ˆ'ˆ 0230ð’
’ ’ (’0’8’ ’ ’@‘’11’’11 0100
ÿÿ¢H¢P¢¤¤¤¤ 2013:04:17
11:44:522013:04:17 11:44:52H¹o@B¬ †
è»dnäWµ˜:̦®(¶’
HHÿØÿàJFIFÿÛC $.'
",#(7),01444'9=82<.342ÿÛC
2!!22222222222222222222222222222222222222222222222222ÿÀ–d"ÿÄ
ÿĵ}!1AQa"q2‘¡#B±ÁRÑð$3br‚
%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ
ÿĵw!1AQaq"2B‘¡±Á #3RðbrÑ $4á%ñ&'()
That isn't all of it but it is a very long string, I am presuming is some sort of binary string?
Source: (StackOverflow)
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way.
In order to change the password I am currently stuck figuring out how to use ldapmodify to do so. After a lot of reading on different sites/forums/newsgroups I am much more confused than before
However:
I try the following command to do so:
ldapmodify -f ldif.example -H ldaps://lab01-dc01.example.com -D 'CN=test,CN=users,DC=lab01,DC=example,DC=com' -x -W
The contents of the ldif.example:
dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
delete: unicodePwd
unicodePwd:: V3VQdXV1STEyLg==
-
add: unicodePwd
unicodePwd:: QmxhVVVraTEyLg==
-
(Don't worry - those passwords are not used anywhere and it is not a production envoirenment)
Now - every time I execute the command I get the following error:
modifying entry CN=test,CN=Users,DC=lab01,DC=example,DC=com"
ldapmodify: Constraint violation (19)
additional info: 0000216C: AtrErr: DSID-03190EB0, #1:
0: 0000216C: DSID-03190EB0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Now, after what I read the reason for this error is either that the password is badly formatted or that the password policy doesn't allow the password I used. I checked the policy - multiple times now - and the new password definetly complies to the policy by all the criteria. If I set the password using a Windows-machine it also works well (of course I changed the "oldpassword" and "newpassword" afterwards since I am not allowed by the policy to change to an earlier password). The password I enter after passing the "-W" option to ldapmodify is also definetly right, otherwise the error spit out by ldapmodify is that I used invalid credentials instead of a constraint violation.
So - the sole reason I can think of is indeed a bad formatted password - but I can't figure out where the bad formatting should come from since I use the normal base64 algorythm to encode the password.
Has anyone an idea what is going on?
Can anyone push me in the right direction?
Help is very appreciated and I thank you in advance.
Edit:
Something which bugs me:
When I run the base encoded strings through base64 it keeps telling me "Invalid Input". Now - I went ahead and just re-coded the passwords with the use of base64 on the linux machine - but when I run the generated string through the decode function again, base64 keeps telling me "Invalid Input"... The strings however slightly changed between the windows-base64 encoded string and the linux encoded string. But base64 just says "Invalid input" no matter what I put in there.
Edit2:
Nevermind - reading the purpose of the function I gather that it throws this error because of the dots and the exclamation mark in the password.
Source: (StackOverflow)
Hey stack! I just installed a AD LDS instance in my development machine. The config is the following:
<membership defaultProvider="ActiveDirectoryProvider">
<providers>
<add name="ActiveDirectoryProvider"
connectionStringName="ActiveDirectoryConnection"
connectionUsername="CN=adldsadmin,CN=Users,CN=TestNet,DC=contoso,DC=com"
connectionPassword="123456" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"
connectionProtection="None"
enableSearchMethods="true"
applicationName="App1" />
</providers>
</membership>
How ever I get the following exception:
The specified directory service
attribute or value does not exist.
The adldsadmin user is in all of the groups. What am I doing wrong?
Thanks!
Source: (StackOverflow)
The file I'm viewing is called examples.php and contains the following code:
include (dirname(__FILE__) . "/adLDAP.php");
try {
$adldap = new adLDAP();
}
The error that displays reads:
Fatal error: Class 'adLDAP' not found in /var/www/examples.php on line 14
Line 14 is:
$adldap = new adLDAP();
adLDAP.php is in the same folder as examples.php and contains the adLDAP class.
Have I messed up my include statement? I get "no such file or directory" with the other formats I have tried. Feels like I'm missing something obvious.
adLDAP.php instantiates the adLDAP class early on:
<?php
namespace adLDAP;
require_once(dirname(__FILE__) . '/collections/adLDAPCollection.php');
require_once(dirname(__FILE__) . '/classes/adLDAPGroups.php');
require_once(dirname(__FILE__) . '/classes/adLDAPUsers.php');
require_once(dirname(__FILE__) . '/classes/adLDAPFolders.php');
require_once(dirname(__FILE__) . '/classes/adLDAPUtils.php');
require_once(dirname(__FILE__) . '/classes/adLDAPContacts.php');
require_once(dirname(__FILE__) . '/classes/adLDAPExchange.php');
require_once(dirname(__FILE__) . '/classes/adLDAPComputers.php');
class adLDAP {
etc.
Source: (StackOverflow)
I have a strange problem on a production server running Debian squeeze with Apache 2.2.16 and PHP 5.3.3-7 and Suhosin. On my development machine, Windows 7 64bit running XAMPP, I don't have the same problem.
The problem is: I am using the adLDAP PHP API to access a Windows Active Directory Domain Controller, and on the production box, there is a 5 second delay sometimes calling ldap_bind(). I don't get this on the development box - and they are accessing the same LDAP server with the same details and credentials.
ldap_connect() executes fine, but it's ldap_bind() that is giving me the error. I have confirmed this through logging with CodeIgniter.
Can anyone point me in the right direction?
Source: (StackOverflow)
I am running a apache (xampp 1.7.3) server on my local windows 7 PC. This PC is connected to a LAN and a Active Directory domain called "colours". My local username is CHRISTOPHER-PC/Christopher, and the domain username is COLOURS/Christopher.
For admin connection to the AD server, I use a PHP scripted called adLDAP. As default, this script (examples/authenticate.php) gives the user two input fields for login. This works fine.
But I want my users to auto sign in if they are logged in to their AD account. For this I'm trying to use the mod_auth_sspi module. But I'm having some problems... :\
My httpd.conf looks like this:
<Directory "C:/xampp/htdocs">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order allow,deny
Allow from all
AuthName "A Protected Place"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain colours
SSPIOfferBasic On
SSPIBasicPreferred On
require valid-user
</Directory>
When i go to http://localhost/ or http://my-ip-address/ (from another computer) i dialogue box pops up and asks for the domain username and password. I know that this is caused by "require valid-user", but if I remove it the user is not auto logged in.
Source: (StackOverflow)
I am trying to see if a user is disabled or not (using PHP and adLDAP). I can authenticate a user. The example I am using is this:
$user = 'jdoe'
$user_info=$adldap->user_info($user,array("useraccountcontrol"));
$enabled = (($user_info[0]['useraccountcontrol'][0] & 2) == 0);
The issue is that I always get 1 even for non-existing accounts. The example is taken from here: adLDAP examples
I am connecting to LDAP as normal user. I do not have admin rights.
Source: (StackOverflow)
The ldap user names need to be displayed in the the input box as autocomplete feature. I am trying to get list of users as below:
String ldapURL = "ldap://192.26.75.5:389/dc=northamerica,dc=company,dc=com";
String principalPrefix = "domainName";
String username = SecurityContextHolder.getContext().getAuthentication().getName();
String password = SecurityContextHolder.getContext().getAuthentication().getCredentials().toString();
Hashtable<String, String>environment = new Hashtable<String, String>();
environment.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL,ldapURL);
environment.put(Context.SECURITY_AUTHENTICATION,"simple");
environment.put(Context.SECURITY_PRINCIPAL,principalPrefix + "\\" + username);
environment.put(Context.SECURITY_CREDENTIALS,password);
environment.put( Context.REFERRAL, "follow" );
DirContext context = null;
NamingEnumeration<SearchResult> enumResult = null;
try
{
context = new InitialDirContext(environment);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs ={"ou","uid", "givenname", "sn", "mail"};
controls.setReturningAttributes(attrIDs);
enumResult = context.search("","(&(objectCategory=person)(objectClass=user)(CN=*))", controls);
if(enumResult != null)
{
//authentication successful
}
}
catch(Exception e){
System.out.println(e.getMessage());
}
However "enumResult" always gets single user value. Let me know if i am missing out something or if its the wrong way to do it.
Any help/advice/suggestion would be appreciated !! Thanks.
Source: (StackOverflow)
i"ve written code for Active directory LDAP user's authentication . It authenticates all users account in AD, But i want only Administrator account authentication not other user account(see below code). And also find domain name of connecting DNS(refer attached image).
try
{
DirectoryEntry entry = new DirectoryEntry(Domain, UserName, Password);
object nativeObject = entry.NativeObject;
Program.fileWrite.WriteLine(DateTime.Now + "\t Login with credentials " + UserName + " and " + Password);
return true;
}
catch (DirectoryServicesCOMException e)
{
Program.fileWrite.WriteLine(DateTime.Now + "\t " + e.Message);
return false;
}
Source: (StackOverflow)
I am using adldap http://adldap.sourceforge.net/
And I am passing the session from page to page, and checking to make sure the username within the session is a member of a certain member group, for this example, it is the STAFF group.
<?php
ini_set('display_errors',1);
error_reporting(E_ALL);
require_once('/web/ee_web/include/adLDAP.php');
$adldap = new adLDAP();
session_start();
$group = "STAFF";
//$authUser = $adldap->authenticate($username, $password);
$result=$adldap->user_groups($_SESSION['user_session']);
foreach($result as $key=>$value) {
switch($value) {
case $group:
print '<h3>'.$group.'</h3>';
break;
default:
print '<h3>Did not find specific value: '.$value.'</h3>';
}
if($value == $group) { print 'for loop broke'; break; }
}
?>
It gives me the error: Warning: Invalid argument supplied for foreach() on line 15, which is this line of code: foreach($result as $key=>$value) {
When I uncomment the code $authUser = $adldap->authenticate($username, $password); and enter in the appropriate username and password, it works fine, but I shouldn't have to, since the session is valid, I just want to see if the username stored within the valid_session is apart of the STAFF group.
Why would it be giving me that problem?
Source: (StackOverflow)
I'm trying to re write a search from System.DirectoryServices to System.DirectoryServices.Protocol
In S.DS I get all the requested attributes back, but in S.DS.P, I don't get the GUID, or the HomePhone...
The rest of it works for one user.
Any Ideas?
public static List<AllAdStudentsCV> GetUsersDistinguishedName( string domain, string distinguishedName )
{
try
{
NetworkCredential credentials = new NetworkCredential( ConfigurationManager.AppSettings[ "AD_User" ], ConfigurationManager.AppSettings[ "AD_Pass" ] );
LdapDirectoryIdentifier directoryIdentifier = new LdapDirectoryIdentifier( domain+":389" );
using ( LdapConnection connection = new LdapConnection( directoryIdentifier, credentials ) )
{
SearchRequest searchRequest = new SearchRequest( );
searchRequest.DistinguishedName = distinguishedName;
searchRequest.Filter = "(&(objectCategory=person)(objectClass=user)(sn=Afcan))";//"(&(objectClass=user))";
searchRequest.Scope = SearchScope.Subtree;
searchRequest.Attributes.Add("name");
searchRequest.Attributes.Add("sAMAccountName");
searchRequest.Attributes.Add("uid");
searchRequest.Attributes.Add("telexNumber"); // studId
searchRequest.Attributes.Add("HomePhone"); //ctrId
searchRequest.SizeLimit = Int32.MaxValue;
searchRequest.TimeLimit = new TimeSpan(0, 0, 45, 0);// 45 min - EWB
SearchResponse searchResponse = connection.SendRequest(searchRequest) as SearchResponse;
if (searchResponse == null) return null;
List<AllAdStudentsCV> users = new List<AllAdStudentsCV>();
foreach (SearchResultEntry entry in searchResponse.Entries)
{
AllAdStudentsCV user = new AllAdStudentsCV();
user.Active = "Y";
user.CenterName = "";
user.StudId = GetstringAttributeValue(entry.Attributes, "telexNumber");
user.CtrId = GetstringAttributeValue(entry.Attributes, "HomePhone");
user.Guid = GetstringAttributeValue(entry.Attributes, "uid");
user.Username = GetstringAttributeValue(entry.Attributes, "sAMAccountName");
users.Add(user);
}
return users;
}
}
catch (Exception ex)
{
throw;
}
}
Also, if I want to fetch EVERY user in AD, so I can synch data with my SQL DB, how do I do that, I Kept getting max size exceeded, errors. I set the size to maxInt32... is there an "ignore size" option?
Thanks,
Eric-
Source: (StackOverflow)