LDAP auth page not working 1

[danno74]

I'm at my end with this, because I know this was working when I first started this project. I get all the backend stuff done and am ready to publish, then the damn auth doesn't work! I am able to login without a password! As long as my username is in the LDAP database, it lets me in. I know this used to work, I'm royally confused.

I found the original code on this forum

http://www.phpbuilder.com/board/arch...-10257921.html

Here is my interpretation:

<?php
if( isset($_POST['login']) && isset($_POST['password']) )
{
    //LDAP stuff here.
    $username = trim($_POST['login']);
    $password = trim($_POST['password']);
   $ldaphost = "ldap.server"; 

    
    $ds = ldap_connect($ldaphost);
    
    //Can't connect to LDAP.
    if( !'ds' )
    {
        echo "Error in contacting the LDAP server -- contact ";
        echo "the Helpdesk  (Debug 1)";
        exit;
    }
    
    //Connection made -- bind anonymously and get dn for username.
    $bind = @ldap_bind($ds);
    
    //Check to make sure we're bound.
    if( !'bind' )
    {
        echo "Anonymous bind to LDAP FAILED.  Contact the Helpdesk. (Debug 2)";
        exit;
    }
    
    $search = ldap_search($ds, "ou=x,dc=x,dc=x", "uid=$username");
   
    
    //Make sure only ONE result was returned -- if not, they might've thrown a * into the username.  Bad user!
    if( ldap_count_entries($ds,$search) != 1 )
    {
        echo "Error processing username -- please try to login again. (Debug 3)";
        redirect("login.php");
        exit;
    }
    
    $info = ldap_get_entries($ds, $search);
    
    //Now, try to rebind with their full dn and password.
    $bind = @ldap_bind($ds, $info[0][dn], $password);
    if( !$bind || !isset($bind))
    {
        echo "Login failed -- please try again. (Debug 4)";
        redirect("login.php");
        exit;
    }
    
    //Now verify the previous search using their credentials.
    $search = ldap_search($ds, "ou=x,dc=x,dc=x", "uid=$username");
           
    $info = ldap_get_entries($ds, $search);
   
    if( $username == $info[0]['uid'][0] )
    {
        
        $_SESSION['username'] = $username;
        $_SESSION['fullname'] = $info[0]['cn'][0];
      $_SESSION['affiliation'] = $info[0]['edupersonprimaryaffiliation'][0];
      header('Location: [URL unfurl="true"]https://www/success.php');[/URL]
        exit;
    }
    else
    {
        echo "Login failed -- please try again." ;
        exit;
    }
    ldap_close($ds);
    exit;
}
?>

I realize I can remove some of the fluff in there, and have done so, but get the same result. I don't understand why the first IF statement requiring both fields at least being filled is not working at least.

I know this once worked, and I can't seem to fix it. Please help me retain some sanity.

- Dan

 

[jpadie]

change the conditional to this

if (!empty($_POST['login']) && !empty($_POST['password'])){

typically a form will submit blank results for empty text fields, thus the login and password fields will typically be set.

if the values are not what you expect then print_r($_POST) to analyse what's coming in.

 

[danno74]

Thank you so much!!!!!!!! That was it, it works now.

 

[darrellblackhawk]

Am I missing something here.

I don't think your code is working the way you intended.

e.g.

$ds = 0;

if (!'ds') {
  echo 'could not connect';
} else {
  echo 'we connected';
}

In a few places in your code you've done something similar.
i.e.

$ds = ldap_connect($ldaphost);
    
//Can't connect to LDAP.
if( !'ds' )
{
  echo "Error in contacting the LDAP server -- contact ";
  echo "the Helpdesk  (Debug 1)";
  exit;
}

Basically, you're setting variables and then testing against a string - not the variable.

After that, you're asking if a string is false - which it never will be.

 

[danno74]

If that is the case, the elements I am testing for are connectivity. If they don't work, they the preceding tests will fail as well. I should just remove those anyhow, if our LDAP server is down, we'll know way before anyone accesses this simple page.

Thanks for the information darrell.