LDAP authentication question
Michael Holmes
happens to be running Red Hat LINUX. Their aim is to present a page, have
the PHP/LDAP script authenticate the user against our eDirectory 8.7.1
system (all Netware based) before permitting them further access. (They want
the user to type their name and password, and do a verify against eDir)
I must admit I know very little about LDAP... for now so I do not know where
to start looking for corrections.... Actually I do, I started here.
Can anyone assist?
Many thanks.
Andy Thompson (SysOp)
It's definitely possible and pretty straightforward. Are you just
looking for pointers or do you have any specific questions/problems? Do
you have LDAP working right now? There's a quick guide to set that up
here http://support.novell.com/cgi-bin/search/searchtid.cgi?/10017683.htm
--
Andy Thompson
Novell Product Support Forum SysOp
(No email support, thanks.)
Michael Holmes
login and it's working just fine. I've verified that the certificate on the
LDAP server in question is valid.
Our problem is the Web guys can't get their script to work. They want to
display a page, have the user type their login ID and password, then have
LDAP do a verify against eDirectory. They get an error having to do
with/like "confidentiality required" and I'm not sure what that's all about.
They are running the web server on Linux and using PHP for their scripting.
(I've also tried something similar using the NWIDIR.OCX and get the same
type of error.)
"Andy Thompson (SysOp)" <00...@myrealbox.com> wrote in message
news:og6Sb.2638$Wh....@prv-forum2.provo.novell.com...
Andy Thompson (SysOp)
> display a page, have the user type their login ID and password, then have
> LDAP do a verify against eDirectory. They get an error having to do
> with/like "confidentiality required" and I'm not sure what that's all about.
> They are running the web server on Linux and using PHP for their scripting.
> (I've also tried something similar using the NWIDIR.OCX and get the same
> type of error.)
You need to enable clear text passwords on the LDAP server. Depending
on your environment, this might or might not be a problem.
I've never been successful getting php working with ldaps... although I
didn't really invest a lot of time into it either.
Michael Holmes
port number in the connect statement.
"Andy Thompson (SysOp)" <00...@myrealbox.com> wrote in message
news:Cd9Sb.2773$Wh....@prv-forum2.provo.novell.com...
Andy Thompson (SysOp)
> My Web people just told me they got it to work. The trick was to specify the
> port number in the connect statement.
Cool... thanks for getting back.
Florian Racky
> LDAP do a verify against eDirectory. They get an error having to do
> with/like "confidentiality required" and I'm not sure what that's all about.
AFAIK this means that you need to use TLS connections when communicating with the eDirectory.
> You need to enable clear text passwords on the LDAP server.
> Depending on your environment, this might or might not
> be a problem.
This might be a security problem? :-)
> I've never been successful getting php working with ldaps...
> although I didn't really invest a lot of time into it either.
This code is working for me:
$ldap = @ldap_connect ("ldaps://" . $LDAP_HOST);
if ($ldap) {
lap_set_option ($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_start_tls ($ldap);
$bind = @ldap_bind ($ldap);
// do something
}
It took me some days to get the whole thing working. There was a problem with ldap_start_tls which prints out warnings which need to be ignored. It was more challenging to make the linux-box trust the eDirectory's root certificate and to set up the ldap client library used by PHP.
> My Web people just told me they got it to work. The trick was to specify the
> port number in the connect statement.
I found out that the trick was *NOT* to use the port number but use the "ldaps:// notation" instead.
Flo