adldap / adldap Goto Github PK

It would be nice if searching by email address was added.

The method adldap_schema currently checks to see if the $attributes array contains keys using the syntax,

if ( $attributes["foo"] ) {

This throws a warning if E_NOTICE is set in error_reporting. Instead, isset or array_key_exists should be used:

if ( array_key_exists("foo", $attributes) ) {
// or
if ( isset($attributes["foo"]) ) {

Hi,

an old theme: will version 5 support LDAP pagination insert into php >= 5.4?
I have a lot of issue when browse large windows 2008 active directory domains.

Thanks for your lib.
v.

OLD COMMENT:
Until few days ago the following code worked:

use adLDAP\adLDAP;
(...)
$ad = new Adldap(\Yii::$app->params['ldap_configuration']);

But now I have the error in subject (Class 'adLDAP\adLDAP' not found)
and the authentication doesn't work,

In composer.json I have:
"adldap/adldap": "5.0.*",

New COMMENT

Now I changed and as documentation says:
I use
use Adldap\Adldap;

but at
$ad = new Adldap(\Yii::$app->params['ldap_configuration']);

webApp goes in timeout in loadClass($class) of ClassLoader.php

Suggestions?

Upon trying to install adldap using Composer on a Laravel installation, I'm getting the below error.

C:\wamp\www\laravel>composer require adldap/adldap
Using version dev-master for adldap/adldap
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - adldap/adldap dev-master requires ext-ldap * -> the requested PHP extension ldap is missing from your system.
    - adldap/adldap dev-master requires ext-ldap * -> the requested PHP extension ldap is missing from your system.
    - Installation request for adldap/adldap dev-master -> satisfiable by adldap/adldap[dev-master].


Installation failed, reverting ./composer.json to its original content.

Hi I'm getting the following error on a fresh install, this wasn't happening before:

• Installation request for aparticka/laravel-auth-ldap ^0.1.1 -> satisfiable by aparticka/laravel-auth-ldap[0.1.1].
• aparticka/laravel-auth-ldap 0.1.1 requires adldap/adldap ~4.0 -> no matching package found

Any ideas on how to fix this?

I'm trying to get SSO working with adLDAP on an IIS PHP based intranet and am getting nowhere.

In the adLDAP I have set useSSO variable to True.
I have then tried multiple ways to call that file and authenticate a user with no luck.

Below I have posted the cutdown code I am trying to test with. What am I doing wrong please?
php_ldap.dll is enabled in the PHP ini file.

Thanks in advance!

It would be nice to add to adLDAPUtils method to convert DN string to array with option to exclude base DN part.
It will be very useful in call of method adLDAPExchange::createMailbox(), to pass storageGroup as array.

The function:

    public function ldapSlashes($str){
        return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e',
                            '"\\\\\".join("",unpack("H2","$1"))',
                            $str);
    }

Results in the following warning:

PHP Deprecated:  preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead

I dont have a solid enough understanding of what it is doing to rewrite it on my own and not introduce a bug. Could you please assist?

Thanks!

The library do not use namespace for classes.

It should be great to have one in order to be one step clother to "new standards". (psr-2)

It appears that user functions search (filter by) samAccountName only. Would it be possible to allow searches by additional fields ( like lastname , email address, etc)? Or even better, allow this to be a configurable item?.

In my environment, the new trend is for usernames (samaccountname) to be 4 random letters + 4 digits, which are unrelated to any of the user's names, or email address. So searching only samaccountname is no longer useful, unless you already know the exact userid.

This would be helpful for tracking down issues with users with multiple IDs, etc.

After calling:

$result = $adldap->group()->members('Gr_QNT_Uzytkownicy', array('cn'));

PHP throws:

Notice: Undefined offset ...

because of wrong condition in for loop in line 51:

for ($i = 0; $i <= $attributes[$key]['count']; $i++) {

condition should be (lower than):

for ($i = 0; $i < $attributes[$key]['count']; $i++) {

You no longer had any version other than dev-master available from packagist. This is breaking a lot of projects that depend on you.

"require": {
    "adldap/adldap": "~4.0",
}

This no longer resolves

I would like to see support for multiple domains to be supported that are not within the same Forest or a sub-domain. For example, trusted domains, or the ability to authenticate users to their external AD Domains based on e-mail address.

I am creating a login form and keep getting this error:

Warning: include(C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\supportadLDAP.php): failed to open stream: No such file or directory in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\support\index.php on line 5 Warning: include(): Failed opening 'C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\supportadLDAP.php' for inclusion (include_path='.;C:\php5\pear') in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\support\index.php on line 5 Fatal error: Class 'adLDAP' not found in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\support\index.php on line 6

here is my code:

the form's code:
{{

Hi, i am trying to use the adLDAP.php on my ubuntu server with ngnix, but nothing happens.
Does anyone else had problems with this configuration?
Tks!

Would pull requests that get adLDAP in conformance with the PSR standards be accepted?

hi,
when i try to insert name with "é" (in sn and firstname) and the original string is utf8, the string is re coded in utf8.

i have make a push request #76
Thank you.

The encodePassword() functions failes on multibyte strings like utf-8 passwords with german umlauts (ä,ö,ü,ß, etc.) because the functions just adds zerobytes after every character which ends up in invalid utf-16le.

I replaced the original function:

public function encodePassword($password)
{
$password=""".$password.""";
$encoded="";
for ($i=0; $i <strlen($password); $i++){ $encoded.="{$password{$i}}\000"; }
return $encoded;
}

with this:

public function encodePassword($password)
{
$encoded = mb_convert_encoding('"' . $password . '"', 'utf-16le', 'utf-8');
return $encoded;
}

this worked for me.

have a nice day, johannes

I have a simple script to pull in the groups a user is the member of:

$this->adLDAP->user()->groups( $user ); $user is my username.

I am authenticating to AD using admin_username and admin_password.

Authentication works fine,

$this->adLDAP->group()->members( $group ) works fine However user()->groups() simply shows me the top level groups Domain Users, Users. If i view my own profile it works as expected, likewise if I view other members of my team it works fine, but viewing users outside my own team I don't see the info. Why should this make any difference?

Hi, sorry my english. i'm trying to create users but @ldap_add() return false, i dont understand why...

this is my params connection

$options = array('account_suffix'=>"@InfoPruebas.com", 'base_dn'=>"DC=InfoPruebas,DC=com", 'domain_controllers'=>array("10.101.0.203"), 'admin_username'=>"Administrador", 'admin_password'=>"Info2015");

the credentials are ok (authenticate success!!)

Data user:
$fields=array( "username"=>"Some.User", "logon_name"=>"[email protected]", "firstname"=>"Fred", "surname"=>"Smith", "company"=>"My Company", "department"=>"My Department", "email"=>"[email protected]", "container"=>array("Users"), "enabled"=>1 );

this is the instance:
$result = $this->ldap->user()->create($fields);

in method create:
// Add the entry
$result = @ldap_add($this->adldap->getLdapConnection(),"CN=" . $add["cn"][0] . "," . $container . "," . $this->adldap->getBaseDn(), $attributes); var_dump($result); //false die();

thanks :) , repeat sorry my english u.u

When using PHP < 5.6.0, ldap_escape() function doesn't exist so manual escape is being used. This effects weird filter content. I've added:

var_dump($filter);

to connection (Ldap.php) search() function and called:

$result = $adldap->group()->members('Gr_QNT_Uzytkownicy', array('cn'));

and result of var_dump() for manual escape was:

(&(objectClass=67726f7570)(anr=47725f514e545f557a79746b6f776e696379))

rather than (result of original ldap_escape()):

(&(objectClass=\67\72\6f\75\70)(anr=\47\72\5f\51\4e\54\5f\55\7a\79\74\6b\6f\77\6e\69\63\79))

Have set up all the certificate stuff afaik, even managed to authenticate against the AD in SSL mode, but when i do: $adldap->users()->all() it returns with errors:

http://imgur.com/my3Pfis

As you can see at the top of the image, it authenticates the admin user just fine for seeing if the user is authorised to do stuff, but everything else basically returns lots of errors, whether it is getting a list of all users or attempting to change a user.

PHP code is here: http://pastebin.com/gqPUPjKb

I've left out the HTML code, since that isn't the issue here.

I am using WAMPServer on a Windows 2008 R2 server, WAMPServer is on version 2.4 64bit version.

I have the Apache SSL and LDAP modules installed as well as the SSL and LDAP modules for PHP installed, phpinfo() correctly shows OpenSSL and OpenLDAP as being enabled and running.

I dont can use openldap with adLDAP:

$adldap = new LDAP\adLDAP\adLDAP(
array(
'base_dn' => 'o=mycompany,dc=es',
'account_suffix' => '',
'domain_controllers' => array('192.168.0.1')
)
);
$adldap->authenticate($username, $passwordClear);

The error is: Invalid DN syntax

My user in ldap:

dn: uid=usertest,ou=mycompany,dc=es
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: person
givenName: Name1
sn: Name1
displayName: Name1
userPassword:
cn: Name1
mobile: 4444444
gecos: Name1
homePhone: 4444444
uid: mariomv
uidNumber: 50
gidNumber: 50
homeDirectory: /home/usertest
st: XXXX
l: XXX
postalCode: 50000
mail: [email protected]
description: XXXXX

And I put the password this:

$ ldappasswd -Wx -D "cn=root,dc=es" -H ldap://localhost -S "uid=usertest,ou=mycompany,dc=es"

PHP Notice: Undefined offset: 0 in adLDAPGroups.php on line 109

For those of us that use composer, this would be very helpful. Right now, I have to push this into a local repo and then create my own local composer repo to pull it from, so that we can maintain our standard of all 3rd party dependencies are installed by Composer.

On php5 I get the following warning when debug is enabled

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in ./lib/adLDAP/classes/adLDAPUtils.php on line 105

The solution provided by Esteban Santana Santa here worked well

How do i specify the OU i would like a certain user to be modified from?

$attributes=array(
"username"=>'modifiedLibTest',
);

    $modified = $adldap->user()->modify("libguest", $attributes);
    var_dump($result);

Hi guys.
Great work so far!

I initiate adLDAP with recursive_groups => true.

If I use $adldap->user()->infoCollection($username) I don't get all groups.

The infoCollection method ignores recursive_groups

Is that intended?

Hello,
I found bug on wiki page with examples. After click to link See user functions in "Group membership of a user" section I'm redirect to Home page with message "You do not have permission to update this wiki.".

using Version 4.0.3. Upgraded my PHP to v5.5.11 and now I keep getting:

PHP Deprecated:  preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /html/common/objects/adLDAP/classes/adLDAPUtils.php

based on this:
https://github.com/adldap/adLDAP/blob/master/lib/adLDAP/adLDAP.php#L705

I suppose I can't write just:

$adldap->authenticate('user', 'password');

If the dn is "cn=user,ou=users,dn=domain,dn=local". What about to add accountPrefix?

Would it be possible to tag a version of the repository that contains composer.json? (4.05?)

The v4.04 tagged branch

https://github.com/adldap/adLDAP/tree/v4.0.4

doesn't have a composer.json file.

This means I can't use composer to add this repository to my projects without either

1. Accepting a minimum stability that would let me target dev-master/the master branch
2. Forking the repository myself and using that project

Also -- with a tagged stable version of the official project out there, it might help with the current packagist weirdness.

Happy to provide more context if that would help. Thank you for your time/attention.

I'm trying to return the just the users of a certain OU 'Public Patrons'. I can't seem to get group()->members to work or group addUser. Cant seem to find any real support for this so anything would be great. The listing array is working just fine, but gives more information than i desire. Bool members and addUser function return bool false. Thanks.

error_reporting(E_ALL ^ E_NOTICE);
//echo "before include";
/Include the adLDAP library for use in connecting to the AD/
include (dirname(FILE) . "/php_ad_stuff/adLDAP/src/adLDAP.php");
//echo"before try";
//require_once(dirname(FILE) . './php_ad_stuff/adLDAP/src/adLDAP.php');
try{
$adldap = new adlDAP();
// echo"inside of try";
}
catch(adLDAPException $e){
echo $e;
// echo "Hello";
exit();
}

    /*********Authentication**************/
    $username= "someUser";
    $password="somePW";

// $username= $_POST["username"];
// $password= $_POST["name"];
$name="Jesse";
$lastname="Williams";
$userName="libTestJesseAdded";

// echo "Hello";

    $result= $adldap->authenticate("$username","$password");
    var_dump($result);


    $connection = ldap_connect("censored IP");
    if($connection){
            echo "Connected";
    }




    $result = $adldap->folder()->listing(array('Public Patrons','Users','Library','Academic Affairs'), adLDAP::ADLDAP_FOLDER, true);
    var_dump($result);


    echo "Group members\n";
    $test= $adldap->group()->members('Public Patrons');
    var_dump($test);






    $result=$adldap->group()->addUser("Library Public Patrons","userName");
    var_dump($result);

    echo "\n";
    echo "INFO COLLECT";

OUTPUT -- the arrays folder return has been censored due to private information. But that command as stated does work.

//Array folders information.

Group members
bool(false)
bool(false)

INFO COLLECT

We have this notice "Undefined index: address_code" when i create an user.

In file adLDAP.php, method "adldap_schema" at line 808 :

• Error :

if ($attributes["address_city"]){ $mod["l"][0]=$attributes["address_city"]; }

• Solution :

if (array_key_exists("address_city", $attributes)){ $mod["l"][0]=$attributes["address_city"]; }

There is similar problem on other attributes (address_code, address_country, ...).

Hi,
i had the problem, that php kill my process after 30 seconds if the LDAP server was not reachable. I fixed this issue with the folowin line:

ldap_set_option($this->ldapConnection, LDAP_OPT_NETWORK_TIMEOUT, 25);

in lib/adLDAP/adLDAP.php's connect() function.

May be you can implement this to your class :)

Regards,
Daniel

As reported by @Janhu at https://sourceforge.net/apps/trac/adldap/ticket/50

replace preg_replace with preg_replace_callback in classes/adLDAPUtils.php:105

I have access to an Active Directory that enforces a 2 password history restriction. Any password in the last 2 passwords you have, is not a viable candidate to be set or reset as your password.

Is there any way have ldap respect this restriction?

Hello
I try to add user account in my AD with the library :
$attributes=array(
"username"=>"juju",
"logon_name"=>"[email protected]",
"firstname"=>"juju",
"surname"=>"michel",
"company"=>"My Company",
"department"=>"My Department",
"email"=>"[email protected]",
"container"=>array("Container Parent","Container Child"),
"enabled"=>1,
"password"=>"Password123",
);

try {
    $result = $adldap->user()->create($attributes);
    var_dump($result);
}
catch (adLDAPException $e) {
    echo $e;
    exit();   
}

In fact nothin happen : no error message and no account apear in my ad .I think i missunderstanding what "container parent" and "container child " is .
Can you help me please
PS: Sorry for my english !

Hi,

Is it possible to enter the name of a group if is not case sensitive ?

Exemple:

$this->user()->inGroup('toto', 'Computer Center');

Is not similar to :

$this->user()->inGroup('toto', 'Computer center');

Thanks

Hello, this occurs after setting up a directory with all needed files. Version 4.0.4 is working with no issues, but going to version 5 I get "Fatal error: Class 'adLDAP' not found" when it is there. The server gives a 500 error with nothing in the logs. The out put of dirname(FILE) is correct /var/www/html/webdev/kerbAuth/adLDAP <-- everything is in there.

Server:Apache/2.2.15 (Red Hat)
X-Powered-By:PHP/5.3.3
SSL is forced throughout this app.

What is it failing finding the class?

The functions in the class adLDAPUtils should be static to provide access to the functions without existing LDAP connection

Hi Rich,

I just implemented active directory support for EGroupware (www.egroupware.org).

I run into a few problems in adLDAP:

1. no support for utf-8 as internal encoding
2. Win2008/Samba4 CN=Users container can not be specified
3. some missing utility functions eg. convert Unix timestamp to Windows for updates
4. some unsupported attributes for users and groups on update

• users: CN, primaryGroupID, sAMAccountName
• groups: mail, description

For 1. + 2. I avoided forking whole adLDAP by extending and override methods which I needed to fix. For 3. + 4. I put the code in my own class.

Are you interested in the changes?
If yes, do you prefer a patch or a pull request?

My code can be find in our public SVN:

• http://svn.stylite.de/viewvc/egroupware/trunk/phpgwapi/inc/class.accounts_ads.inc.php?view=markup
• http://svn.stylite.de/egroupware/trunk/phpgwapi/inc/class.accounts_ads.inc.php

Extended adLDAP classes are at the end of the file.

Regards

Ralf

Hi,

i found a deprecated regex modifier /e.
Used in classes/adLDAPUtils.php on line 105 within the function preg_replace().

This will throw an error message:
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in D:\Workspace\www Projects\Sclable\AD\adLDAP-4.0.4r2\classes\adLDAPUtils.php on line 105

Replacing the function with preg_replace_callback is not necessary.
Only remove the modifier ... this is working in my environment!

For Information my PHP Version is 5.5.11

Hey together,

i'm wondering why some users of mine can't login per ldap..
The problem was, that all of them had a same sign in the password.. an "§".

    // Allow binding over SSO for Kerberos
    // ME: On this time the password is showing correct "altah§")
    if ($this->useSSO && $_SERVER['REMOTE_USER'] && $_SERVER['REMOTE_USER'] == $username && $this->adminUsername === null && $_SERVER['KRB5CCNAME']) {
        putenv("KRB5CCNAME=" . $_SERVER['KRB5CCNAME']);
        $this->ldapBind = @ldap_sasl_bind($this->ldapConnection, null, null, "GSSAPI");
        if (!$this->ldapBind) {
            throw new adLDAPException('Rebind to Active Directory failed. AD said: ' . $this->getLastError());
        }
        else {
            return true;
        }
    }

    // ME: But on this point signs like § would be display as (?)
    // Since i  add this little utf8_encode, the authentification works fine.. 
    $password = utf8_encode($password);

Is this a generell problem or only on my System?

Hi,

I would like to connect to Active directory on port 3269.
But the port is ignored. In this case, adLdap used the port 636.

My parameters are :
$configuration['use_ssl'] = true;
$configuration['use_tls'] = false;
$configuration['ad_port'] = 3269;
$this->connexion = new \adLDAP($configuration);

In class adLDAP.php, line 628, we can see :
ldap_connect("ldaps://" . $domainController, $this->adPort);

But, in php documentation (http://php.net/manual/fr/function.ldap-connect.php), we can see :

• hostname : If you are using OpenLDAP 2.x.x you can specify a URL instead of the hostname. To use LDAP with SSL, compile OpenLDAP 2.x.x with SSL support, configure PHP with SSL, and set this parameter as ldaps://hostname/.
• port : The port to connect to. Not used when using URLs.

Is it a bug or have i a problem with my parameters ?

More informations :

• ADLDAP version 4.0.4
• PHP version 5.4.36

lib/adLDAP/classes/adLDAPFolders.php (line 166 )

$containers = "";
if (count($attributes['container']) > 0) {
$containers = "OU=" . implode(",OU=", $attributes["container"]) . ",";
}

//Line 166 (overwrites the correctly set $container variable above )
$containers = "OU=" . implode(",OU=", $attributes["container"]);
$result = ldap_add($this->adldap->getLdapConnection(), "OU=" . $add["OU"] . ", " . $containers . $this->adldap->getBaseDn(), $add);
if ($result != true) {
return false;
}
return true;

Line 357:
$users = $info[0]["member"];

Is throwing a notice if there are no members in that group.
Line 358 is checking if it an array, but with no users, it does not exist as element.

I've replaced line 357 to 360 with:

    if(isset($info[0]["member"])){
        $users = $info[0]["member"];
        if (!is_array($users)) {
            return false;   
        }
    } else {
        return false;
    }

And the issue appears fixed.

Using the following configuration options with a Windows Service Account, binding fails. This is because the account was specifically created to query Active Directory, and does not have the same attributes as a typical user.

array(
    'account_suffix'=>  '@domain.com',
    'domain_controllers'=>  array('192.168.0.1'), 
    'ad_port' => 123,
    'base_dn'   =>  'DC=DOMAIN,DC=COM',
    'admin_username' =>  'CN=service_acct,OU=Service Accts,OU=Resources,DC=DOMAIN,DC=COM',
    'admin_password' =>  'password'',
    'use_ssl' => false,
);

Because of this, the following connection fails with a Bind to Active Directory failed. Check the login credentials and/or server details. AD said: Invalid credentials message.

$this->ldapBind = @ldap_bind($this->ldapConnection, $this->adminUsername . $this->accountSuffix, $this->adminPassword);

I believe this to be due to the account_suffix option. If I use a different user to bind with such as my own Windows credentials, I am able to connect. Similarly, if I set 'account_suffix'=> '', I can bind with the service account, but it forces all of my users to log in with their fully qualified account ([email protected]) since it's no longer explicitly set.

It's not possible to remove the "User must change password on next login" attribute once it is set already.