Hi,
We've created an intranet site that requires the same password as the user's network login, so we use LDAP to check the username/password.
That's fine, but if they enter it incorrectly three times it locks their account out, and one or two users have found this confusing.
Is there anyway at all I could check, using LDAP/PHP whether or not their account is locked, so I can display a little message prompting them to contact IT?
Thanks
Without a standard "lockout" field I would use an LDAP browser to compare an account before and after a lockout. You can use LBE (LDAP Browser/Edit) to extract LDIF files of a user object and then use your favorite diff tool to compare them.
You need to connect to the LDAP using the LDAP functions in PHP and perform search/read to locate and get the information. You can read about it here: http://us3.php.net/manual/en/book.ldap.php
Find a sample code for reading entries:
if (!($ldap=ldap_connect($ldapip, $ldapport)))
{
die("Error:Unable to connect to the LDAP Server");
return;
}
if (!ldap_bind($ldap, $admindn, $adminpwd))
{
die("Error:Unable to bind to '$dn'!");
return;
}
$sr=ldap_search($ldap, $userbasedn, $filter);
$info = ldap_get_entries($ldap, $sr);
if($info["count"] > 0)
{
$entry = ldap_first_entry($ldap, $sr);
$return_array = ldap_get_attributes($ldap, $entry);
if($return_array)
{
for ($i=0;$i<$return_array['count'];$i++)
{
print($return_array[$i]);
print($return_array[$return_array[$i]][0]);
}
}
}
You might want to check for the fields lockoutTime in AD, nsaccountlock in LDAP and read them
Doesn't that defeat the idea of having a shared logon?
If your intranet site allows more trials than the network login, it can be used to find the password for a user.