Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Web & Directory Servers >> Directory Servers

PHP ldap_search against DS 5.2

We are switching from NIS to LDAP using Sun One Directory server 5.2.

I have to convert all our web PHP login scripts that are NIS based to LDAP.

I'm having difficult time just trying to do simple ldap_search, always coming up with "No such object in test.php on line 19. Below is the php code:

<?php

$info = array("userPassword","homeDirectory");

$rdn = "cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu";

$rdnPass = "password";

$basedn = "ou=People,cn=engr,cn=colostate,cn=edu";

$filter = "(uid=joeblow)";

$ds = ldap_connect("ldap.server.ip.here");

if (!$ds) {

print "System Error";

exit(0);

}

$bind = ldap_bind($ds, $rdn, $rdnPass);

if (!$bind) {

print "System bind error";

exit(0);

}

$sr = ldap_search($ds, $basedn, $filter, $info);

if (!$sr) {

print "Ldap_search failed\n";

}

else {

$info = ldap_get_entries($ds, $sr);

print $info["count"]." entries returned\n";

}

ldap_close($ds);

?>

Here are logs for the DS server:

[27/Apr/2007:12:46:06 -0600] conn=108 op=-1 msgId=-1 - fd=38 slot=38 LDAP connection from 129.82.xxx.xx to 129.82.xxx.xxx

[27/Apr/2007:12:46:06 -0600] conn=108 op=0 msgId=1 - BIND dn="cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu" method=128 version=2

[27/Apr/2007:12:46:06 -0600] conn=108 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu"

[27/Apr/2007:12:46:06 -0600] conn=108 op=1 msgId=2 - SRCH base="ou=people,cn=engr,cn=colostate,cn=edu" scope=2 filter="(uid=joeblow)" attrs="userPassword homeDirectory"

[27/Apr/2007:12:46:06 -0600] conn=108 op=1 msgId=2 - RESULT err=32 tag=101 nentries=0 etime=0

[27/Apr/2007:12:46:06 -0600] conn=108 op=2 msgId=3 - UNBIND

[27/Apr/2007:12:46:06 -0600] conn=108 op=2 msgId=-1 - closing - U1

[27/Apr/2007:12:46:06 -0600] conn=108 op=-1 msgId=-1 - closed.

I've tried compiling PHP against openLDAP and the native ldap libraries on Solaris 10 in /usr/lib.But get same error regardless. Any ideas what I'm doing wrong in the code?

And yes, uid joeblow does exist in LDAP.

client1 % ldaplist -l passwd joeblow

dn: uid=joeblow,ou=people,dc=engr,dc=colostate,dc=edu

objectClass: posixAccount

objectClass: shadowAccount

objectClass: account

objectClass: top

uid: joeblow

cn: joeblow

uidNumber: 902

gidNumber: 66

gecos: Average User test acct,,,

homeDirectory: /top/students/UNGRAD/ES/joeblow/home

loginShell: /bin/csh

Thanks...

[2673 byte] By [cjaykeista] at [2007-11-27 2:39:35]
«« row column as hashmap key
»» JWS shortcut launching the old version of the application
# 1

What happens if you do from the commandline:

ldapsearch -h <dshost> -b "ou=People,cn=engr,cn=colostate,cn=edu" -D "cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu" -w "password" "(uid=joeblow)" userPassword homeDirectory

Also, is there only one LDAP server involved so far? Wondering if the ldaplist command is being run against the same server.

As an aside, it's possible that the proxy user doesn't have read permission to userPassword, unless you've set up an ACI to allow this. But, this shouldn't make the entire entry invisible.

gtholberta at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 2

Hmmm,

Strange, the ldapsearch is giving the same error. Doesn't make since, ldaplist works fine. And users are able to login to the workstations via the console and ssh using ldap for authentication. We have 4 ldap servers, 2 master replicas, and 2 replicas. I have verified the account is on each ldap server.

Proxy is setup for read/write and I assume is working as I can use passwd to change my password okay. The ldaplist command above I delete the userPassword line from it.

cjaykeista at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 3

One thought.

Is ldapsearch dependent on the indexing commands you run after configuring DS 5.2 for user authentication? The commands:

directoryserver -s ldap vlvindex -n userRoot -T engr.colostate.edu.getgrent

And stuff? I only ran what I thought I needed for user authentication for user and group info only:

directoryserver -s ldap vlvindex -n userRoot -T engr.colostate.edu.getgrent

directoryserver -s ldap vlvindex -n userRoot -T engr.colostate.edu.getnetent

directoryserver -s ldap vlvindex -n userRoot -T engr.colostate.edu.getpwent

directoryserver -s ldap vlvindex -n userRoot -T engr.colostate.edu.getauthent

Should I just run all the indexing commands?

cjaykeista at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 4
> Doesn't make since, ldaplist works fine.See what is appended to your access log when you do the ldaplist command, then compare with the other search you're trying. This may give a clue as to what the issue is.
gtholberta at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 5

Well this is what I've found:

client1 % ldaplist -lv passwd joeblow

+++ database=passwd

+++ filter=(&(objectclass=posixaccount)(uid=joeblow))

+++ template for merging SSD filter=(&(%s)(uid=joeblow))

dn: uid=joeblow,ou=people,dc=engr,dc=colostate,dc=edu

objectClass: posixAccount

objectClass: shadowAccount

objectClass: account

objectClass: top

uid: joeblow

cn: joeblow

uidNumber: 902

gidNumber: 66

gecos: Average User test acct,,,

homeDirectory: /top/students/UNGRAD/ES/joeblow/home

loginShell: /bin/csh

userPassword: {crypt}BaGUMuiwsdfdsf

Log file:

[30/Apr/2007:09:30:15 -0600] conn=12153 op=-1 msgId=-1 - fd=56 slot=56 LDAPS connection from 129.82.232.129 to 129.82.224.33

[30/Apr/2007:09:30:15 -0600] conn=12153 op=-1 msgId=-1 - SSL 128-bit RC4

[30/Apr/2007:09:30:15 -0600] conn=12153 op=0 msgId=1 - BIND dn="cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu" method=128 version=3

[30/Apr/2007:09:30:15 -0600] conn=12153 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu"

[30/Apr/2007:09:30:15 -0600] conn=12153 op=1 msgId=2 - SRCH base="ou=people,dc=engr,dc=colostate,dc=edu" scope=1 filter="(&(objectClass=posixaccount)(uid=joeblow))" attrs=ALL

[30/Apr/2007:09:30:15 -0600] conn=12153 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0

[30/Apr/2007:09:30:15 -0600] conn=12153 op=2 msgId=3 - UNBIND

[30/Apr/2007:09:30:15 -0600] conn=12153 op=2 msgId=-1 - closing - U1

[30/Apr/2007:09:30:15 -0600] conn=12153 op=-1 msgId=-1 - closed.

So okay, try the ldapsearch command:

client1 % ldapsearch -h ldap2 -b "ou=People,cn=engr,cn=colostate,cn=edu" -D "cn=proxy,ou=profile,dc=engr,dc=colostate,dc=edu" -w password "(&(objectClass=posixaccount)(uid=joeblow))"

ldap_search: No such object

I'm starting to pull my hair out now!!!

cjaykeista at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 6
At least for your recent example, looks like the problem is the search base.ldaplist search base: "ou=people,dc=engr,dc=colostate,dc=edu"vs.ldapsearch search base: "ou=People,cn=engr,cn=colostate,cn=edu"You want dc, not cn.
gtholberta at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
# 7
Thank you!!!Ahhhh!!! So stupid!! All this time I was seeing cn but reading dc in my head.It's working now, including my php script.
cjaykeista at 2007-7-12 3:01:43 > top of Java-index,Web & Directory Servers,Directory Servers...
Web & Directory Servers
Directory Servers

Web & Directory Servers New Topic

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified