I have been running a simple ldap_bind() php script to verify the username/password combination of Active Directory users before presenting a simple menu to them. Unfortunately, as I’ve discovered, anyone can get the menu by entering a valid Active Directory group name and ANY string of characters for the password. In my case, my security auditor vendor guessed the username of “admin” and the password of “password”, which gave them the splash screen.
Previously working, yet faulty code.
$handle = ldap_connect(‘192.168.1.50’);
ldap_set_option($handle,LDAP_OPT_REFERRALS,0);
ldap_set_option($handle,LDAP_OPT_PROTOCOL_VERSION,3);
$bnd = ldap_bind($handle,”USERNAME@DOMAIN.LOCAL”,”PASSWORD”);
if ($bnd) {
echo “Successful Login!”;
}
?>
I’ve tried using a different syntax for the second/username parameter using “UID=USERNAME,DC=DOMAIN,DC=LOCAL”. But that does not seem to ever work properly. I can only get the authentication to work with “USERNAME@DOMAIN.LOCAL” syntax.
The following code does a secondary check to ensure that the bind was indeed successful.
$base_dn = “dc=DOMAIN,dc=local”; // Where DOMAIN = Your top level domain
$handle = ldap_connect(‘192.168.1.50’);
ldap_set_option($handle,LDAP_OPT_REFERRALS,0);
ldap_set_option($handle,LDAP_OPT_PROTOCOL_VERSION,3);
$bnd = ldap_bind($handle,”USERNAME@DOMAIN.local”,”PASSWORD”);
if ($bnd) {
// Next, check to ensure we can obtain the groups we’re a member of.
define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032); // <– Optional details of failure
$groups = ldap_search($handle,$base_dn,”samaccountname=USERNAME”,array(“cn”,”memberof”));
if (!$groups) {
echo “FAILED to Login!<br />n”;
@ldap_get_option($ldc, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
echo “Extended Error : ” . $extended_error .”<br />n;
} else {
echo “Successful Login!”;
}
}
?>