LDAP / Active directory

LDAP / Active directory

[solved] AD Bind success, search fails [Tiki 5.3, Server 2008]

I was hoping someone could point me in the right direction for help on this one.

Webserver: CentOS 5.5 i386, apache 2.2.3, php 5.1.6, mysql 5.0.77
Directory Server: Windows Server 2008

My settings are very close to the recommended settings:
Host: myAD.server
Port: 389
LDAP Bind Type: Active Directory
Scope: Subtree
Base DN: dc=my,dc=base,dc=domain
User DN: OU=User & Computer Accounts
User attribute: sAMAccountName
User OC: user
Realname attribute: displayName
E-Mail attribute: mail
Group DN
Group attribute cn
Group OC groupOfUniqueNames
Member attribute memberOf
Member is DN yes

The logs report:
1. Connect Host: ldap://myAD.server. Binddn:myname@my.base.domain at line 209 in /var/www/html/lib/auth/ldap.php
2. Bind successful.

However, the message I get on the login screen is:
Invalid username or password

There are no other errors reported in the log. I opened up apache directory studio and connected to the AD server using the same credentials. I was successful and started a search using what I thought were the same settings:

(I have a screen capture, but I can't get it to upload and stick)
The key items are the
search base: userDN,baseDN
filter: (sAMAccountName=myname)
returning attributes:mail,displayName

I'm not sure where to look next. I don't know why it isn't progressing.

Update: I think I might know what is going on. I think that LDAP2 is reporting that a bind is successful, when it is not. On line 315 of tiki_root/pear/Net/LDAP2.php is the public function bind

The way it looks to be set up is that it will attempt an automatic connection first and will only attempt the manual bind if the automatic fails. What I *think* is happening is that my AD server is accepting the connection, but since it isn't authenticated correctly it will not return search results. But it doesn't fail in the way that the script expects, so I get no errors, no results, but no further attempts.

I don't know how to fix this. Here is a test script that returns the correct information:

$ldap_url = 'ad.url';
$ldap_domain = 'site.domain.ca.us';
$ldap_dn = "dc=site,dc=domain,dc=ca,dc=us";

$ds = ldap_connect( $ldap_url );
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

$username = "spopepro";
$password = "AverySTRONGpassword";

$login = ldap_bind( $ds, "$username@$ldap_domain", $password );
echo '- Logged In Successfully';
$attributes = array("displayName", "mail");
$filter = "(&(objectCategory=user)(sAMAccountName=$username))";

$result = ldap_search($ds, $ldap_dn, $filter, $attributes);

$entries = ldap_get_entries($ds, $result);

if($entries%22count%22 > 0){
echo "User Information:";
echo "displayName: ".$entries0'displayname'0."";
echo "email: ".$entries0'mail'0."";
}catch(Exception $e){
echo '- Logged Out';

Any ideas if I am on the right track here? What can I do to further debug?

Well.. that wasn't my best moment. I had made multiple changes to ldap.php, forgot about one of them (and didn't add the comment I should have) and then when I had fixed other problems the change I had made kept things from working. Really, if AD is configured correctly and you know your attribute names, 5.x really works fine out of the box. I win the dunce cap...