After spending nearly a full day figuring out how to make PHP (5.2.x) authenticate to OS X Server's (10.4.9) OpenLDAP, I decided to put down the results:
Must always do
ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, 3)or else you get a Protocol error
Trying to do an anonymous bind before searching for a users DN for authentication is moot. PHP will tell you Server is unwilling to perform and /var/log/slapd.log will read something like unauthenticated bind (DN with no password) disallowed. Tried turning allow bind_anon_dn on but no dice.
So the solution was to just search for the full DN without a anonymous bind:
$result = ldap_search ($ds, $myBaseDn, "uid=$username", array ("cn")); $info = ldap_get_entries ($ds, $result); $userDn = $info['dn'];
… and then try to authenticate:
$r = ldap_bind ($ds, $userDn, $password);
No changes on the server side are required, AFAIK.
Some other random notes on troubleshooting LDAP:
256 is a good loglevel
To redirect slapd output to /var/log/slapd.log, I had to add:
… to syslog.conf