Search code examples
phpopensslldapdomaincontrolleradldap

Php adLDAP Error - Unable to bind to server: Strong(er) authentication required


I am attempting to use PHP adLDAP version 4.04 to authenticate on a corporate network with no success yet.

PHP Version 5.2.4

I tried this stackoverflow post PHP ldap - Strong(er) authentication required, no luck.

I am NOT an admin on this domain controller; I only need to be able to query.

I am able to ping HOSTNAMEOFDC.domain.location.company.com (the FQDN of my Domain Controller)

The domain controller is a Windows Server 2012 R2 Standard.

I have successfully queried this domain controller using DsQuery and PowerShell AD Module with no problem and no authentication that I had to manually type.

My code:

<?php
require_once("includes/php/adLDAP/src/adLDAP.php");
$username = "domain\\username"; // also tried just "username"
$password = "somepassword";

// All possible settings are listed in this array
$options = array(
        "account_suffix" => "@domain.location.company.com",
//      "admin_username" => $username,
//      "admin_password" => $password,
//      "ad_port" => "636",
//      "base_dn" => "DC=domain,DC=location,DC=company,DC=com",
        "domain_controllers" => array("HOSTNAMEOFDC.domain.location.company.com"),
//      "real_primarygroup" => "",
//      "recursive_groups" => "",
//      "use_ssl" => true
//      "use_tls" => true
);

$adldap = new adLDAP($options);


// $authUser = $adldap->user()->authenticate($username, $password);
$authUser = $adldap->user()->authenticate($username,$password);
if ($authUser) {
    echo "User authenticated successfully";
} else {
    // getLastError is not needed, but may be helpful for finding out why:
    echo $adldap->getLastError() . "<br>";
    echo "User authentication unsuccessful";
}

// Destroy
$adldap->close();
$adldap->__destruct();
?>

I get the error:

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Strong(er) authentication required in C:\xampp\htdocs\Workspace\Project\scripts\includes\php\adLDAP\src\adLDAP.php on line 712
Strong(er) authentication required
User authentication unsuccessful

Then when I uncomment "use_ssl" => true" I get this error:

FYI, ssl is loaded in my php.ini

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in C:\xampp\htdocs\Workspace\Project\scripts\includes\php\adLDAP\src\adLDAP.php on line 712
Can't contact LDAP server
User authentication unsuccessful

I've also tried uncommenting "use_tls" => true" and I get this error:

Warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Connect error in C:\xampp\htdocs\Workspace\Project\scripts\includes\php\adLDAP\src\adLDAP.php on line 638

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in C:\xampp\htdocs\Workspace\Project\scripts\includes\php\adLDAP\src\adLDAP.php on line 712
Can't contact LDAP server
User authentication unsuccessful

Solution

  • This answer is pertaining to PHP 5.2 -5.3, this bug has been fixed in newer versions (probably)

    Annoyingly, when PHP spits back the error Unable to bind to server: Strong(er) authentication required - it is actually telling you that it needs a certificate or group of certificates ON YOUR LOCAL MACHINE and have a .conf file point to them.

    I created a directory: C:\openldap\sysconf (it did not exist prior).

    I made the file ldap.conf in C:\openldap\sysconf

    In *nix you would probably put it in /etc or a subdir in there, but I have not tested that yet.

    I went and found the PEM file for our certs and extracted it in the directory (a PEM file is basically the whole chain of certs in one file).

    Within ldap.conf I added the line: TLS_CACERT C:\openldap\sysconf\Certs.pem

    If you cannot get the PEM certs, you can use TLS_REQCERT never instead. Be careful when doing this. You expose yourself to a man in the middle attack by doing this. It will not validate the endpoint.

    Once I did this, I successfully binded.

    If that doesn't work, try putting ldap.conf in C:\ (root level); it seems to depend on what version of PHP you are using - it decides to look in different places for ldap.conf.