I am attempting to replicate a Microsoft AD environment utilizing OpenLDAP on Ubuntu so that I can have a test environment for my web applications. The issue I am running into is that the ldap_bind command returns the error "Invalid DN syntax" unless I use the fully distinguished username to connect in OpenLDAP, however this is not an issue on the Microsoft side of things. Is there a way to force OpenLDAP to search its directory for that user to authenticate against versus having to use the fully distinguished name? Thanks for the help.
Edit Here is what doesn't work but would be the goal:
$ad = ldap_connect('ldap://localhost') or die("Could not connect!");
// Set version number
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Could not set ldap protocol");
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0) or die("Could not set ldap protocol");
// Binding to ldap server
$bd = ldap_bind($ad, 'admin', 'Password1') or die("Couldn't Connect");
And here is what works:
$ad = ldap_connect('ldap://localhost') or die("Could not connect!");
// Set version number
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Could not set ldap protocol");
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0) or die("Could not set ldap protocol");
// Binding to ldap server
$bd = ldap_bind($ad, 'cn=admin,dc=example,dc=com', 'Password1') or die("Couldn't Connect");
Yes AD, does use a neat trick to find the FDN from some attributes. I do wish some of the other LDAP server vendors would implement something similar.
You will need to bind as a user with sufficient rights to locate and read the user's attributes and pass the FDN to the bind for the user.