PHP and OS X's OpenLDAP

July 4, 2007

After spending nearly a full day figuring out how to make PHP (5.2.x) authenticate to OS X Server’s (10.4.9) OpenLDAP, I decided to put down the results:

  • Must always do ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, 3) or else you get a Protocol error

  • Trying to do an anonymous bind before searching for a users DN for authentication is moot. PHP will tell you Server is unwilling to perform and /var/log/slapd.log will read something like unauthenticated bind (DN with no password) disallowed. Tried turning allow bind_anon_dn on but no dice.

So the solution was to just search for the full DN without a anonymous bind:

$result = ldap_search ($ds, $myBaseDn, "uid=$username", array ("cn"));
$info = ldap_get_entries ($ds, $result);
$userDn = $info[0]['dn'];

… and then try to authenticate:

$r = ldap_bind ($ds, $userDn, $password);

No changes on the server side are required, AFAIK.

Some other random notes on troubleshooting LDAP:

  • 256 is a good loglevel
  • To redirect slapd output to /var/log/slapd.log, I had to add:

    local4.*    /var/log/slapd.log

… to syslog.conf