|
|
Posted by Steve JORDI on 01/17/07 07:52
Hi,
it seems to me that I have a problem using an LDAPS connection
to our server for identification purposes (using OpenLDAP and
OpenSSL).
Using PHP 4.4.4 I have the following code which correctly
binds in SSL but any "search" for attributes and their values
seems to return only the attributes for an anonymous connection.
Thus, this is restricted to a few ones instead of having them all
(especially the groupMembership I'm looking for).
$ldapconn = ldap_connect("ldaps://ldapserver", 636 )
or die( "Connection problem.<BR>" ) ;
if (ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
echo "Using LDAPv3<BR>\n";
} else {
echo "Failed to set protocol version to 3";
}
// Verify whether the provided name exists
$ldapresult = @ldap_search( $ldapconn, "o=mydomain", "cn=".$name ) ;
if( $ldapresult ) {
// User exists, now retrieve his DN and bind in SSL
$entries = @ldap_get_entries( $ldapconn, $ldapresult ) ;
if( $entries["count"] ) {
$ldapbind = ldap_bind( $ldapconn, $entries[0]['dn'], $pwd ) ;
if( $ldapbind ) {
echo "Succesfully bound<BR>" ;
// do some new ldap_search here
...
}
else {
echo "Bound failed<br>" ;
}
}
}
This prints "Succesfully bound" with the correct credentials.
That's where I have a doubt. How does the ldap function then work
knowing it has correct credentials?
After the succesful bind, if I do another search, I still get the
basic attributes (about 6 of them), not all of them.
For example:
$result = @ldap_search( $ldapconn, "o=mydomain", "cn=".$name ) ;
Does ldap_bind change the content of $ldapconn in order to know
that we're now securely authotified???
I really miss something there. Does the ldap_bind call change anything
to the ldap function behaviors after being succesful?
How does the application know we're correctly identified?
The server has a valid certificate (the bind() wouldn't work anyway if
that were not the case).
Thanks for any help.
Sincerely,
Steve JORDI
(Remove the K_I_L_LSPAM from my email address)
------------------------------------------------
1197 Prangins Email: stevejordiK_I_L_LSPAM@hotmail.com
Switzerland WWW: www.sjordi.com
------------------------------------------------
Volcanoes at www.sjordi.com/volcanoes
MovieDB at www.sjmoviedb.com
------------------------------------------------
[Back to original message]
|