views:

97

answers:

1

I am trying to bind to AD with php_ldap (using ADLdap), from a Ubuntu (hardy 8.04LTS) host. Binding on port 389 is fine to ldap://myserver, but does not allow me to do things like set password, so I need to bind on port 636 to ldaps://myserver.

I am aware that some form of credential passing occurs, perhaps with certificates, but I am really struggling to get anything working - the bind fails on ldaps.

The test rig AD has a container Users, in domain mydom.local The account I am using to bindis in the Users container, and has a DN of

'CN=LDAP BIND,OU=Users,DC=mydom,DC=local' and a password of 'mypass'

its sAMAccount name is ldap

I suspect I either need to install some extra packages on the ubuntu box, or do some magic to AD on the windows server, or do some certificate grabbing stuff, but I am stuck.

Just to add some detail, if I try to connect from the command line with ldapsearch to search for some user called install, I get

ldapsearch -vv   -H 'ldaps://server.mydom.local' -Y DIGEST-MD5 -X 'dn:CN=LDAP BIND,OU=Users,DC=mydom,DC=local' sAMAccountname=install -U 'u:LDAP BIND'
ldap_initialize( ldaps://server.mydom.local:636/??base )
SASL/DIGEST-MD5 authentication started
Please enter your password: mypass
ldap_sasl_interactive_bind_s: Invalid credentials (49)

As I say, I can successfully bind on 389.

I have installed on the ubuntu box ldap-utils, libldap, php5-ldap, and /etc/ldap/ldap.conf is:

TLS_REQCERT never
BINDDN 'CN=LDAP BIND,OU=Users,DC=mydom,DC=local'
URI ldaps://server.mydom.local

Any advice?

A: 

Aha ! Found it - in order to bind to AD over ssl, you need to install libsasl2-modules-gssapi-mit - so on ubuntu use

apt-get install libsasl2-modules-gssapi-mit

I found the answer here: https://help.ubuntu.com/community/ActiveDirectoryHowto

This made all my bind issues go away. Obviously, if you are doing this to allow ADLdap to change passwords, the user you bind with will need sufficient permissions on the AD server.

WaveyDavey