Check LDAP to see if user exists...

I’ve taken over an event website, and am mostly using the last person’s code but I wanted to add an LDAP lookup to check whether or not people (who are logged in on one system) exist on a separate LDAP list…I thought I needed to check groups initially, but actually it really is just existing. I’m sure I’m doing something obviously wrong, as I say, I’m a PHP idiot.

So they’ve logged in (I have a .htaccess set but the list of members seems to be too big to just dump all the usernames into that) so: login = $_SERVER[‘REMOTE_USER’} - on the general system, then check against the ldap code:

[php]
userlogin = $_SERVER[‘REMOTE_USER’};
//connect to LDAP list
function &connect_to_ldap(){

    $ldapport = 389;

    $ds = ldap_connect("OURLDAPSERVER") or die("Could not connect to LDAP server.");

    if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {

        echo "Failed to set protocol version to 3";

        return false;

   } else {
       return $ds;

   }

}
$ds = "OURLDAPSERVER";
$dn = "dc=some,dc=site,dc=co,dc=uk,cn=users";
$filter = "(uid=$userlogin)";
$sr = ldap_search($ds, $dn, $filter);
$info = ldap_count_entries($ds, $sr);

if ($info !=1)
	{
        echo "$userlogin Error processing username -- if you're a member, please try to login again.";
    redirect("../index.html");
   exit;
} 
[/php]

Any advice would be really appreciated

First line - userlogin = $_SERVER[‘REMOTE_USER’}; should be userlogin = $_SERVER[‘REMOTE_USER’]; and redirect might need to be header().

Thanks richei. I copied most of the code but typed that first one (which includes the } error).

I’m getting an error:
“ldap_search(): supplied argument is not a valid ldap link resource in” [my file path]

And
“ldap_count_entries() expects parameter 1 to be resource, string given in” [my file path]

(and the one about redirect which I’ve now changed).

Any advice?

The second error is because the first part isn’t being done. Solve the first one and the second one should go away. so for that, you need to verify that the login information contained in $_SERVER is correct, which i don’t think it is because REMOTE_USER would be the person using the script, not necessarily the person with the login permissions.

So the .htcaccess file forces people to login with any valid account. Remote_User reflects that username. If I do an echo Remote_User it is correct. The bit I’m least sure about is
[php]$filter = “(uid=$userlogin)”;[/php]

Can I filter on uid like that? (uidobject? :s)

If this is php, then userlogin needs to be $userlogin. also, have a look at the ldap functions on php.net - http://www.php.net/manual/en/function.ldap-connect.php

Apparently you’re not the only one with the connection issue

I would also verify that the login information is actually there. just use either print_r($_SERVER); or var_dump($_SERVER); to see what’s contained in the array.

So username definitely appears (using echo remote, and the print_r). I can connect to the LDAP using a GUI thing and can see that cn=users, with uid=username - so I want to check to see if my remoteuser appears in ‘cn=users’ list… And I can see that all the dc,dc,dc,dc,cn bits are correct… Thinking aloud a bit here.
I’ve just changed my code to ‘bind’ (because apparently connect doesn’t do that). Thanks for the advice richei!
[php]
$username = $_SERVER[‘REMOTE_USER’];
//connect to LDAP list
function &connect_to_ldap(){

    $ldapport = 389;

    $ds = ldap_connect("OURLDAPSERVER") or die("Could not connect to LDAP server.");

    if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {

        echo "Failed to set protocol version to 3";

        return false;

   } else {
       return $ds;

   }

}

if ($ds) {

// binding to ldap server
$ldapbind = ldap_bind($ds);

// verify binding
if ($ldapbind) {
    echo "LDAP bind successful...";
} else {
    echo "LDAP bind failed...";
}

}

$ds = “OURLDAPSERVER”;

$dn = “dc=us,dc=here,dc=co,dc=uk,cn=users”;

$filter = “(uid=$username)”;

$sr = ldap_search($ds, $dn, $filter);

$info = ldap_count_entries($ds, $sr);

if ($info !=1)

{

    echo "$userlogin Error processing username -- if you're a member, please try to login again.";

// redirect("…/index.html");
exit;

} 	[/php]

And using the gui, base DN (dc=,dc=,dc=,dc=) and filter uid=[myusername] works…so the structure should be correct. ???

are you still getting those same search errors?

Yup. I’ve tried with LDAP_List & get the same issue

have a look at the first example in http://www.php.net/manual/en/function.ldap-search.php, he’s doing pretty much what you’re trying to do.

That’s what I’m so baffled about, I think my code is pretty well identical to that example & as I say, using Luma (gui thing) the dn, ds, and ‘uid’ call should all be ok.

Since the connection is good and the input seems to be there, i would look what’s being sent to the search, maybe there’s something switched around or something isn’t getting there. are you calling that function outside of the code that’s here?

eugh sorry I think I’ve been stupid and assumed ldap support was enabled. Copying across the connect & bind scripts into a new .php and running those I just get a blank page (no echo) which I assume means no ldap commands, no connection, which is why it doesn’t recognise ldap_search, etc.
I hope I’m wrong! But if not, I’ll see if someone can change that, and thanks for your help (and sorry for wasting your time)

lol, we’ve all done that at one time or another. I think you can actually enable that yourself using ini_set() in the htaccess file.

eugh, yeah - thanks for being understanding! :-). I’ll take a look at the ini_set() would I just dump ini_set(‘ldap.base_dn’… something into the same .htaccess file I’m using to restrict the directory?

basically, you’re just enabling the ldap functionality outside of the php.ini file. you can turn on error reporting too.