LDAP bind with Win Server 2008 R2 Standard AD fails - ldap

The environment is a single server running Win Server 2008 R2 Standard with SP1 with Apache 2.2 and PHP 5.3.19.
I have a PHP script that attempts to do an LDAP bind to the Win Server 2008 R2 Active Directory and fails no matter what variations I try. I put in a lot of echos to see the results at each step, and I've discovered that ldap_connect ALWAYS connects. I can put total garbage in the URL and it never fails. The latest iteration of my PHP script does an anonymous bind, then does an ldap_search, which fails.
Here's the script (actual domain, user & pswd changed):
<?php
define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032);
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
echo "<br>LDAP set debug level: " . ldap_errno($ad) . ' ' . ldap_error($ad);
$LDAPhost = 'ldap://myDomain.com';
$LDAPport = '3268';
$ad = ldap_connect($LDAPhost, $LDAPport);
echo "<br>LDAP connect to $LDAPhost: " . ldap_errno($ad) . ' ' . ldap_error($ad);
if ($ad) {
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
echo "<br>LDAP set protocol to version 3: " . ldap_errno($ad) . ' ' . ldap_error($ad);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
echo "<br>LDAP set referrals to 0: " . ldap_errno($ad) . ' ' . ldap_error($ad);
$bind = ldap_bind($ad);
echo "<br>LDAP bind: " . ldap_errno($ad) . ' ' . ldap_error($ad);
$baseDN = 'CN=Users,DC=myDomain,DC=com';
$filter = '(objectClass=*)';
$search = ldap_search($ad, $baseDN, $filter);
echo "<br>LDAP search $baseDN $filter: " . ldap_errno($ad) . ' ' . ldap_error($ad);
if ($rec = ldap_get_entries($ad, $search)) {
echo "<br>LDAP get entries: " . ldap_errno($ad) . ' ' . ldap_error($ad);
for ($i = 0; $i < $rec["count"]; $i++) {
echo "<br>$rec[0]['uid'][0]";
echo "<br>$rec[0]['givenname'][0]";
}
} else {
echo '<br>Record not found.';
}
ldap_close($ad);
} else {
echo '<br><br>Could not connect.';
}
?>
The displayed results are:
LDAP set debug level:
LDAP connect to ldap://myDomain.com: 0 Success
LDAP set protocol to version 3: 0 Success
LDAP set referrals to 0: 0 Success
LDAP bind: 0 Success
LDAP search CN=Users,DC=myDomain,DC=com (objectClass=*): 1 Operations error
Record not found.
Using the Windows LDP.exe utility, I am able to bind with the same user/pswd credentials used in the test.
I would love to know exactly what to put as the base DN, i.e. what is ldap_bind comparing these values to? Something in Active Directory? Something in the registry? Something else?
Searching for this stuff turns up lots of examples, but none that work for me. Any ideas?


The Base DN you need is a valid DN in your AD. How do you find a base DN? Well you need to look at the rootDSE, to see what the namingContexts attribute says.
If you have a Unix box with ldapsearch, you can do an
ldapsearch -x -h mydomain.com -p3268 | less to see what namingContexts values are.
AD usually has 4 namingContexts values as I recall by default. (Don't have an AD box to do a quick test against). Many GUI LDAP tools can let you connect and look at the rootDSE or else have a GUI way to see it.


One thing to note is if the base DN doesn't seem to work and you are sure of everything, try using the 2003 format for the username: user#domain instead of the DN. There seems to be an issue where a domain that was migrated from a 2003 controller to a 2008 controller might have issues binding using PHP LDAP functions. I don't have the full details as I'm still exploring it but the 2003 format works on a 2008 R2 domain controller. Below is a sample basic function used in testing.
# $ldapconn = a valid connection
# $username = a username in the format 'username#domain'
# #password = the password for the above user
function ad_auth($ldapconn,$username,$password){
ldap_set_option ($ldapconn, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
try {
$ldap_bind = ldap_bind($ldapconn, $username, $password);
} catch (Exception $e){
# Your error code
}
return $ldap_bind;
}
Usage: $rs = ad_auth($ldapconn,$username,$password);
If I figure out the cause I'll post it.

Related

user Login web service required using prestashop api

I am working on prestashop web services for my android app, i searched a lot in google, but i did not find proper document/proper explanation. Can any one please guide me how to do user login/authentication using prestashop web services?.

You can make a call to the customer endpoint filtering by the customer's email. The result would have a "passwd" field, which is a hashed password which could either be md5 or bcrypt since Prestashop supports both. You can then hash the customer's password input and compare with the "passwd" field in the response. If the length of the "passwd" field is 32 (md5), you'll need parameter _COOKIE_KEY_ set in /app/config/parameters.php as a salt to generate your hash;
Make the call like this https://yourprestashopurl.com/api/customers?filter[email]=email#email.com&display=full
For md5 (if passwd is 32 characters long):
$hash = md5(_COOKIE_KEY_ . $input_password);
You can then compare $hash with passwd
For bcrypt (if passwd is 60 characters long):
Option 1:
$verify = password_verify($input_password, passwd);
You can accept $input_password when this returns true, otherwise $input_password is invalid
Option 2:
$hash = password_hash($input_password, PASSWORD_BCRYPT);
You can then compare $hash with passwd
Note: password_hash and password_verify are both built-in php functions since PHP 5.5.0

Use the PrestaShop webservices and filter with email and password like below:
http://localhost/api/customers/?filter[email]=test#prestashop.com&filter[password]=19910794b7c0b413e80f58298a8d8300

For those who are still searching for this answer:
<?php
if (isset($_GET["email"]) && isset($_GET["password"]))
{
$email = $_GET["email"];
$password = $_GET["password"];
$COOKIE_KEY = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
$jsonurl = "https://XXXXXXXXXXXXXXXXXXXX#example.com/api/customers?filter[email]=".$email."&display=[passwd]&output_format=JSON";
$json = file_get_contents($jsonurl);
$json_a = json_decode($json, true);
$loopone = $json_a['customers'];
$looptwo = $loopone[0];
$loopthree = $looptwo['passwd'];
$ZCpassword = md5($COOKIE_KEY . $password);
if (strcmp($loopthree, $ZCpassword) == 0) {
echo "sucess";
} else {
echo "fail";
}
}
else
{
echo "Error";
}
?>

Rancid/ Looking Glass perl script hitting an odd error: $router unavailable

I am attempting to set up a small test environment (homelab) using CentOS 6.6, Rancid 3.1, Looking Glass, and some Cisco Switches/Routers, with httpd acting as the handler. I have picked up a little perl by means of this endeavor, but python (more 2 than 3) is my background. Right now, everything on the rancid side of things works without issue: bin/clogin successfully logs into all of the equipment in the router.db file, and logging of the configs is working as expected. All switches/routers to be accessed are available and online, verified by ssh connection to devices as well as using bin/clogin.
Right now, I have placed the lg.cgi and lgform.cgi files into var/www/cgi-bin/ which allows the forms to be run as cgi scripts. I had to modify the files to split on ';' instead of ':' due to the change in the .db file in Rancid 3.1:#record = split('\:', $_); was replaced with: #record = split('\;', $_); etc. Once that change was made, I was able to load the lgform.cgi with the proper router.db parsing. At this point, it seemed like everything should be good to go. When I attempt to ping from one of those devices out to 8.8.8.8, the file correctly redirects to lg.cgi, and the page loads, but with
main is unavailable. Try again later.
as the error, where 'main' is the router hostname. Using this output, I was able to find the function responsible for this output. Here it is before I added anything:
sub DoRsh
{
my ($router, $mfg, $cmd, $arg) = #_;
my($ctime) = time();
my($val);
my($lckobj) = LockFile::Simple->make(-delay => $lock_int,
-max => $max_lock_wait, -hold => $max_lock_hold);
if ($pingcmd =~ /\d$/) {
`$pingcmd $router`;
} else {
`$pingcmd $router 56 1`;
}
if ($?) {
print "$router is unreachable. Try again later.\n";
return(-1);
}
if ($LG_SINGLE) {
if (! $lckobj->lock("$cache_dir/$router")) {
print "$router is busy. Try again later.\n";
return(-1);
}
}
$val = &DoCmd($router, $mfg, $cmd, $arg);
if ($LG_SINGLE) {
$lckobj->unlock("$cache_dir/$router");
}
return($val);
}
In order to dig in a little deeper, I peppered that function with several print statements. Here is the modified function, followed by the output from the loaded lg.cgi page:
sub DoRsh
{
my ($router, $mfg, $cmd, $arg) = #_;
my($ctime) = time();
my($val);
my($lckobj) = LockFile::Simple->make(-delay => $lock_int,
-max => $max_lock_wait, -hold => $max_lock_hold);
if ($pingcmd =~ /\d$/) {
`$pingcmd $router`;
} else {
`$pingcmd $router 56 1`;
}
print "About to test the ($?) branch.\n";
print "Also who is the remote_user?:' $remote_user'\n";
print "What about the ENV{REMOTE_USER} '$ENV{REMOTE_USER}'\n";
print "Here is the ENV{HOME}: '$ENV{HOME}'\n";
if ($?) {
print "$lckobj is the lock object.\n";
print "#_ something else to look at.\n";
print "$? whatever this is suppose to be....\n";
print "Some variables:\n";
print "$mfg is the mfg.\n";
print "$cmd was the command passed in with $arg as the argument.\n";
print "$pingcmd $router\n";
print "$cloginrc - Is the cloginrc pointing correctly?\n";
print "$LG_SINGLE the next value to be tested.\n";
print "$router is unreachable. Try again later.\n";
return(-1);
}
if ($LG_SINGLE) {
if (! $lckobj->lock("$cache_dir/$router")) {
print "$router is busy. Try again later.\n";
return(-1);
}
}
$val = &DoCmd($router, $mfg, $cmd, $arg);
if ($LG_SINGLE) {
$lckobj->unlock("$cache_dir/$router");
}
return($val);
}
OUTPUT:
About to test the (512) branch.
Also who is the remote_user?:' '
What about the ENV{REMOTE_USER} ''
Here is the ENV{HOME}: '.'
LockFile::Simple=HASH(0x1a13650) is the lock object.
main cisco ping 8.8.8.8 something else to look at.
512 whatever this is suppose to be....
Some variables:
cisco is the mfg.
ping was the command passed in with 8.8.8.8 as the argument.
/bin/ping -c 1 main
./.cloginrc - Is the cloginrc pointing correctly?
1 the next value to be tested.
main is unreachable. Try again later.
I can provide the code for when DoRsh is called, if necessary, but it looks mostly like this:&DoRsh($router, $mfg, $cmd, $arg);.
From what I can tell the '$?' special variable (or at least according to
this reference it is a special var) is returning the 512 value, which is causing that fork to test true. The problem is I don't know what that 512 means, nor where it is coming from. Using the ref site's description ("The status returned by the last pipe close, backtick (``) command, or system operator.") and the formation of the conditional tree above, I can see that it is some error of some kind, but I don't know how else to proceed with this inspection. I'm wondering if maybe it is in response to some permission issue, since the remote_user variable is null, when I didn't expect it to be. Any guidance anyone may be able to provide would be helpful. Furthermore, if there is any information that I may have skipped over, that I didn't think to include, or that may prove helpful, please ask, and I will provide to the best of my ability

May be you put in something like
my $pingret=$pingcmd ...;
print 'Ping result was:'.$pingret;
And check the returned strings?

How to make the website Ping ARR server and say I am going down?

I have successfully configured the ARR in Windows Azure environment, the web server instances are added to server farm.
Using Health Check option in server farm, instance that timed-out or not responding is made unhealthy.
My Question is
Instead of the ARR web farm (doing health check every 10 seconds) ping the website, is it possible or the web role itself ping back the ARR server and say I am going down ?
Is it possible to ping the ARR Server from web role and say I am going down? or this is there any best approach available.
Please suggest.

I wanted some extra notifications with our ARR setup and I put this PowerShell script together that runs once an hour and checks the health status and notify me via email when ever any hosting server was seen as unhealthy. We also use other outside resources that ping the web farm externally once an minute and alerts us when it can't be seen (Pingdom). I have a feeling you're looking for a little more than this but I hope it helps a little.
#----- First add a reference to the MWA dll ----#
$dll=[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.Web.Administration")
#----- Get the manager and config object ----#
$mgr = new-object Microsoft.Web.Administration.ServerManager
$conf = $mgr.GetApplicationHostConfiguration()
#----- Get the webFarms section ----#
$section = $conf.GetSection("webFarms")
$webFarms = $section.GetCollection()
#----- Define an array for html fragments ----#
$fragments=#()
#----- Check each webfarm ----#
foreach ($webFarm in $webFarms)
{
$Name= $webFarm.GetAttributeValue("name");
#Get the servers in the farm
$servers = $webFarm.GetCollection()
#Write-Host "Farm Name: " $Name
$fragments+= "<b>Farm Name: $Name</b>"
$fragments+="<br>"
foreach($server in $servers)
{
$ip= $server.GetAttributeValue("address")
$hostname= ([system.net.dns]::GetHostByAddress($ip)).hostname
#Get the ARR section
$arr = $server.GetChildElement("applicationRequestRouting")
$counters = $arr.GetChildElement("counters")
$isHealthy=$counters.GetAttributeValue("isHealthy")
$state= $counters.GetAttributeValue("state")
switch ($state)
{
0 {$state= "Available"}
1 {$state= "Drain"}
2 {$state= "Unavailable"}
default {$state= "Non determinato"}
}
if( $isHealthy)
{
$isHealthy="Healthy"
$fragments+="$hostname -- $ip -- $state -- $isHealthy"
$fragments+="<br>"
}
else
{
$isHealthy="Not Healthy"
$notHealthy="RED ALERT!! This is what we trained for!"
$fragments+="$hostname -- $ip -- $state -- $isHealthy"
$fragments+="<br>"
}
#Write-Host -NoNewLine $hostname " " $ip " " $state " " $isHealthy
#NEW LINE
#Write-Host
}
#NEW LINE
#Write-Host
if($notHealthy){
#write the results to HTML formated email
$smtpServer = "SMTP server"
$smtpFrom = "email address"
$smtpTo = "email address"
$messageSubject = "Unhealthy Web Server"
$message = New-Object System.Net.Mail.MailMessage $smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $true
$message.Body = $fragments
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$smtp.Send($message)
}
}

Rename screenshots taken on failure in PHPUnit Selenium

PHPUnit has an option to take a screenshot upon a Selenium test case failure. However, the screenshot filename generated is a hash of something - I don't know what exactly. While the test result report allows me to match a particular failed test case with a screenshot filename, this is troublesome to use.
If I could rename the screenshot to use the message from the failed assert as well as a timestamp for instance, it makes the screenshots much easier to cross-reference. Is there any way to rename the generated screenshot filename at all?

You could try something like this (it's works with selenium2):
protected function tearDown() {
$status = $this->getStatus();
if ($status == \PHPUnit_Runner_BaseTestRunner::STATUS_ERROR || $status == \PHPUnit_Runner_BaseTestRunner::STATUS_FAILURE) {
$file_name = sys_get_temp_dir() . '/' . get_class($this) . ':' . $this->getName() . '_' . date('Y-m-d_H:i:s') . '.png';
file_put_contents($file_name, $this->currentScreenshot());
}
}
Also uncheck
protected $captureScreenshotOnFailure = FALSE;

I ended up using a modified version of #sectus' answer:
public function onNotSuccessfulTest(Exception $e) {
$file_name = '/' . date('Y-m-d_H-i-s') . ' ' . $this->getName() . '.png';
file_put_contents($this->screenshotPath . $file_name, base64_decode($this->captureEntirePageScreenshotToString()));
parent::onNotSuccessfulTest($e);
}
Although the conditional check in tearDown() works fine, based on Extending phpunit error message, I decided to go with onNotSuccessfulTest() as it seemed cleaner.
The filename could not accept colons :, or I would get an error message from file_get_contents: failed to open stream: Protocol error
The function currentScreenshot also did not exist, so I ended up taking the screenshot in a different way according to http://www.devinzuczek.com/2011/08/taking-a-screenshot-with-phpunit-and-selenium-rc/.

Another method I played around with, as I still wanted to use $this->screenshotUrl and $this->screenshotPath for convenient configuration:
I overwrote takeScreenshot from https://github.com/sebastianbergmann/phpunit-selenium/blob/master/PHPUnit/Extensions/SeleniumTestCase.php
protected function takeScreenshot() {
if (!empty($this->screenshotPath) &&
!empty($this->screenshotUrl)) {
$file_name = '/' . date('Y-m-d_H-i-s') . ' ' . $this->getName() . '.png';
file_put_contents($this->screenshotPath . $file_name, base64_decode($this->captureEntirePageScreenshotToString()));
return 'Screenshot: ' . $this->screenshotUrl . '/' . $file_name . ".png\n";
} else {
return '';
}
}

Username and password are correct but I'm still getting ERROR: SQLSTATE[28000] [1045]

I'm switching from mySql to PDO, but I'm having trouble creating the correct connection to the database. The username and password work in mySql, but I get this error message when I try to connect using the code shown below:
ERROR: SQLSTATE[28000] [1045] Access denied for user 'sean'#'localhost' (using password: NO)
I'm not really sure why it's saying password 'NO' because I'm definitely using the correct password, and there aren't any users named Sean. Is there something wrong with the syntax I'm using for the username or password?
This is the code I'm using (I'm swapping out 'MyPassword' for the actual password)
<?php
session_start();
try {
$conn = new PDO('mysql:host=localhost;dbname=MyDatabase', $clickfi4_root, $MyPassword);
$stmt = $conn->prepare('SELECT * FROM customer_info WHERE id = :id');
$stmt->execute(array('id' => $id));
$result = $stmt->fetchAll();
if ( count($result) ) {
foreach($result as $row) {
print_r($row);
}
} else {
echo "No rows returned.";
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}
?>

The error message said:
(using password: NO)
Which means a password was not used in the login attempt.
Check the value of $MyPassword.
Also, try using an account other than the root. It's not the best practice anyway.

Sometimes username#127.0.0.1 does the trick instead of username#localhost.

Turns out that the syntax in the net tuts tutorial I was using was slightly wrong. It works when I remove the '$' before the username and password :-)
$conn = new PDO('mysql:host=localhost;dbname=MyDatabase', clickfi4_root, MyPassword);

For future Googlers, I had the same problem just now and I was pretty sure that password was correct. Yes password was correct indeed but the problem is how I generate password and how I keep password in config file.
If you use a random password generator like me make sure you don't have $ dollar sign in your password.
If you have $ in you password then make sure you keep you password in config file like this
$pass = 'randomchars$morerandom';
but not like this
$pass = "randomchars$morerandom";