# phpldapadmin: loging in as rootdn?

## tecknojunky

I don't know if it's my memory playing tricks on me, but I thought remembering that to login as the rootdn in phpldapadmin, you had to specify the whole rootdn identical to what you've set in the slapd.conf, no?  :Confused: 

Like cn=root,dc=inet?

Can't log in.  Can't find help on the subject, not even in the pgpldapadmin documentation.  Crazy!  :Shocked: 

----------

## Falador

Correct, to logon as rootdn you use the rootdn username and password from your slapd.conf.

Can you do an ldapsearch on the command line using your rootdn and password? Have you tried changing the slapd logging level to 256 and checking /var/log/messages?

----------

## tecknojunky

 *Falador wrote:*   

> Correct, to logon as rootdn you use the rootdn username and password from your slapd.conf.
> 
> Can you do an ldapsearch on the command line using your rootdn and password? Have you tried changing the slapd logging level to 256 and checking /var/log/messages?

 

It's a working centralized user/password system that's been setup for something like a year or so.  I need to add a user, but phpldapadmin was borked because of drastic change in the config.php format.  I can't get to log on to the ldap server as cn=root,dc=inet, but I can do ldapsearch -D "cn=root,dc=inet" -W from the console.

Me = scratch head with finger + raising shoulders.

----------

## Janne Pikkarainen

Is OpenLDAP itself updated within this year? If it is, it may except your client to connect with ldapv3 instead of ldapv2 (for example), and decides to reject anything lower than ldapv3. 

If that is the case, line

```
allow bind_v2
```

to /etc/openldap/slapd.conf should do the trick. Alternatively, if phpldapadmin can be told to connect with ldapv3, that's maybe even a better option.

----------

## tecknojunky

Well, I'm not sure openldap is faulty.  If I log in a normal user, I can authenticate.  If I try to login as the rootdn, I can't.

I'm wondering if it's my config.php that is wrong.

```
<?php

/**

 * The phpLDAPadmin config file

 *

 * This is where you can customise some of the phpLDAPadmin defaults

 * that are defined in config_default.php.

 *

 * To override a default, use the $config->custom variable to do so.

 * For example, the default for defining the language in config_default.php

 *

 * $this->default->appearance['lang'] = array(

 *      'desc'=>'Language',

 *      'default'=>'auto');

 *

 * to override this, use $config->custom->appearance['lang'] = 'en';

 *

 * This file is also used to configure your LDAP server connections.

 *

 * You must specify at least one LDAP server there. You may add

 * as many as you like. You can also specify your language, and

 * many other options.

 */

/**                                         **/

/** Miscellaneous Configuration overrides   **/

/**                                         **/

/* If you are asked to put pla in debug mode, this is how you do it: */

// $config->custom->debug['level'] = 2;

// $config->custom->debug['syslog'] = true;

/* phpLDAPadmin can encrypt the content of sensitive cookies if you set this

   to a big random string. */

$config->custom->session['blowfish'] = 'very long text';

/* The language setting. If you set this to 'auto', phpLDAPadmin will

   attempt to determine your language automatically. Otherwise, available

   lanaguages are: 'ct', 'de', 'en', 'es', 'fr', 'it', 'nl', and 'ru'

   Localization is not complete yet, but most strings have been translated.

   Please help by writing language files. See lang/en.php for an example. */

$config->custom->appearance['language'] = 'auto';

/* The temporary storage directory where we will put jpegPhoto data

   This directory must be readable and writable by your web server. */

// $config->custom->jpeg['tmpdir'] = "c:\\temp";                // Example for Windows systems

$config->custom->jpeg['tmpdir'] = "/tmp";                       // Example for Unix systems

/**                                         **/

/** Your LDAP servers                       **/

/**                                         **/

$i=0;

$ldapservers = new LDAPServers;

/* A convenient name that will appear in the tree viewer and throughout phpLDAPadmin to

   identify this LDAP server to users. */

$ldapservers->SetValue($i,'server','name','LDAP pour Inet');

/* Examples:

   'ldap.example.com',

   'ldaps://ldap.example.com/',

   'ldapi://%2fusr%local%2fvar%2frun%2fldapi' (Unix socket at /usr/local/var/run/ldap) */

$ldapservers->SetValue($i,'server','host','ldaps://manitou.inet/');

/* The port your LDAP server listens on (no quotes). 389 is standard. */

$ldapservers->SetValue($i,'server','port','636');

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin auto-detect it for you. */

//$ldapservers->SetValue($i,'server','base',array('dc=inet'));

/* Three options for auth_type:

   1. 'cookie': you will login via a web form, and a client-side cookie will store your

      login dn and password.

   2. 'session': same as cookie but your login dn and password are stored on the web server in

      a persistent session variable.

   3. 'config': specify your login dn and password here in this config file. No login will be

      required to use phpLDAPadmin for this server.

   Choose wisely to protect your authentication information appropriately for your situation. If

   you choose 'cookie', your cookie contents will be encrypted using blowfish and the secret your specify

   above as session['blowfish']. */

$ldapservers->SetValue($i,'server','auth_type','session');

/* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or 'cookie' or 'session' auth_types,

   leave the login_dn and login_pass blank. If you specify a login_attr in conjunction with a cookie or

   session auth_type, then you can also specify the login_dn/login_pass here for searching the directory for

   users (ie, if your LDAP server does not allow anonymous binds. */

// $ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com');

/* Your LDAP password. If you specified an empty login_dn above, this MUST also be blank. */

// $ldapservers->SetValue($i,'login','pass','secret');

/* Use TLS (Transport Layer Security) to connect to the LDAP server. */

//$ldapservers->SetValue($i,'server','tls',true);

/* If the link between your web server and this LDAP server is slow, it is recommended that you set

   'low_bandwidth' to true. This will cause phpLDAPadmin to forego some "fancy" features to conserve bandwidth. */

// $ldapservers->SetValue($i,'server','low_bandwidth',false);

/* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5, blowfish, crypt or

   leave blank for now default algorithm. */

$ldapservers->SetValue($i,'appearance','password_hash','md5');

/* If you specified 'cookie' or 'session' as the auth_type above, you can optionally specify here an attribute

   to use when logging in. If you enter 'uid' and login as 'dsmith', phpLDAPadmin will search for (uid=dsmith)

   and log in as that user. Leave blank or specify 'dn' to use full DN for logging in. Note also that if your

   LDAP server requires you to login to perform searches, you can enter the DN to use when searching in 'login_dn'

   and 'login_pass' above. You may also specify 'string', in which case you can provide a string to use for

   logging users in. See 'login_string' directly below. */

// $ldapservers->SetValue($i,'login','attr','uid');

/* If you specified 'cookie' or 'session' as the auth_type above, and you specified 'string' for 'login_attr'

   above, you must provide a string here for logging users in. If, for example, I have a lot of user entries with

   DNs like "uid=dsmith,ou=People,dc=example,dc=com", then I can specify a string

   "uid=<username>,ou=People,dc=example,dc=com" and my users can login with their user names alone, ie: "dsmith"

   in this case. */

// $ldapservers->SetValue($i,'login','string','uid=<username>,ou=People,dc=example,dc=com');

/* If 'login_attr' is used above such that phpLDAPadmin will search for your DN at login, you may restrict the

   search to a specific objectClass.  E.g., set this to 'posixAccount' or 'inetOrgPerson', depending upon your setup. */

// $ldapservers->SetValue($i,'login','class','');

/* Specify true If you want phpLDAPadmin to not display or permit any modification to the LDAP server. */

// $ldapservers->SetValue($i,'server','read_only',false);

/* Specify false if you do not want phpLDAPadmin to draw the 'Create new' links in the tree viewer. */

// $ldapservers->SetValue($i,'appearance','show_create',true);

/* This feature allows phpLDAPadmin to automatically determine the next available uidNumber for a new entry. */

// $ldapservers->SetValue($i,'auto_number','enable',true);

/* The mechanism to use when finding the next available uidNumber. Two possible values: 'uidpool' or 'search'.

   The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to blindly lookup the next available

   uidNumber. The 'search' mechanism searches for entries with a uidNumber value and finds the first available

   uidNumber (slower). */

// $ldapservers->SetValue($i,'auto_number','mechanism','search');

/* The DN of the search base when the 'search' mechanism is used above. */

// $ldapservers->SetValue($i,'auto_number','search_base','ou=People,dc=example,dc=com');

/* The minimum number to use when searching for the next available UID number (only when 'search' is used for

   auto_uid_number_mechanism' */

// $ldapservers->SetValue($i,'auto_number','min','1000');

/* The DN of the uidPool entry when 'uidpool' mechanism is used above. */

// $servers[$i]['auto_uid_number_uid_pool_dn'] = 'cn=uidPool,dc=example,dc=com';

/* If you set this, then phpldapadmin will bind to LDAP with this user ID when searching for the uidnumber. The

   idea is, this user id would have full (readonly) access to uidnumber in your ldap directory (the logged in user

   may not), so that you can be guaranteed to get a unique uidnumber for your directory. */

// $ldapservers->SetValue($i,'auto_number','dn','');

/* The password for the dn above. */

// $ldapservers->SetValue($i,'auto_number','pass','');

/* Disable the anonymous login. */

// $ldapservers->SetValue($i,'login','anon_bind',true);

/* Use customized page with prefix when available. */

// $ldapservers->SetValue($i,'custom','pages_prefix','custom_');

/* If you set this, then phpldapadmin will bind to LDAP with this user when testing for unique attributes (as set

   in unique_attrs array). If you want to enforce unique attributes, than this id should have full (readonly) access

   to the attributes in question (the logged in user may not have enough access) */

// $ldapservers->SetValue($i,'unique_attrs','dn','');

/* The password for the dn above */

// $ldapservers->SetValue($i,'unique_attrs','pass','');

/* If you set this, then only these DNs are allowed to log in. This array can contain individual users, groups or

   ldap search filter(s). Keep in mind that the user has not authenticated yet, so this will be an anonymous search

   to the LDAP server, so make your ACLs allow these searches to return results! */

// $ldapservers->SetValue($i,'login','allowed_dns',array(

//      'uid=stran,ou=People,dc=example,dc=com',

//      '(&(gidNumber=811)(objectClass=groupOfNames))',

//      '(|(uidNumber=200)(uidNumber=201))',

//      'cn=callcenter,ou=Group,dc=example,dc=com'));

/* Set this if you dont want this LDAP server to show in the tree */

// $ldapservers->SetValue($i,'appearance','visible',true);

/* This is the time out value in minutes for the server. After as many minutes of inactivity you will be

   automatically logged out. If not set, the default value will be ( session_cache_expire()-1 ) */

// $ldapservers->SetValue($i,'login','timeout',30);

/* Set this if you want phpldapadmin to perform rename operation on entry which has children. Certain servers are known

   to allow it, certain are not */

// $ldapservers->SetValue($i,'server','branch_rename',false);

/* If you want to configure additional LDAP servers, do so below. */

/*

$i++;

$ldapservers->SetValue($i,'server','name','LDAP Server');

$ldapservers->SetValue($i,'server','host','127.0.0.1');

$ldapservers->SetValue($i,'server','port','389');

$ldapservers->SetValue($i,'server','base',array(''));

$ldapservers->SetValue($i,'server','auth_type','cookie');

$ldapservers->SetValue($i,'login','dn','');

$ldapservers->SetValue($i,'login','pass','');

$ldapservers->SetValue($i,'server','tls',false);

$ldapservers->SetValue($i,'server','low_bandwidth',false);

$ldapservers->SetValue($i,'appearance','password_hash','md5');

$ldapservers->SetValue($i,'login','attr','uid');

$ldapservers->SetValue($i,'login','string','');

$ldapservers->SetValue($i,'login','class','');

$ldapservers->SetValue($i,'server','read_only',false);

$ldapservers->SetValue($i,'appearance','show_create',true);

$ldapservers->SetValue($i,'auto_number','enable',true);

$ldapservers->SetValue($i,'auto_number','mechanism','search');

$ldapservers->SetValue($i,'auto_number','search_base','');

$ldapservers->SetValue($i,'auto_number','min','1000');

$ldapservers->SetValue($i,'auto_number','dn','');

$ldapservers->SetValue($i,'auto_number','pass','');

$ldapservers->SetValue($i,'login','anon_bind',true);

$ldapservers->SetValue($i,'custom','pages_prefix','custom_');

$ldapservers->SetValue($i,'unique_attrs','dn','');

$ldapservers->SetValue($i,'unique_attrs','pass','');

$ldapservers->SetValue($i,'appearance','visible',false);

*/

/* If you want to configure more LDAP servers, copy and paste the above (including the "$i++;")

   Dont forget to change 'visible' to true! */

/**                                         **/

/** User-friendly attribute translation     **/

/**                                         **/

/* Use this array to map attribute names to user friendly names. For example, if you

   don't want to see "facsimileTelephoneNumber" but rather "Fax". */

$friendly_attrs = array();

$friendly_attrs[ 'facsimileTelephoneNumber' ] =         'Fax';

$friendly_attrs[ 'telephoneNumber' ]  =                 'Phone';

/**                                         **/

/** Support for attrs display order         **/

/**                                         **/

/* Use this array if you want to have your attributes displayed in a specific order.

   You can use default attribute names or their fridenly names.

   For example, "sn" will be displayed right after "givenName". All the other attributes

   that are not specified in this array will be displayed after in alphabetical order. */

// $attrs_display_order = array(

//      "givenName",

//      "sn",

//      "cn",

//      "displayName",

//      "uid",

//      "uidNumber",

//      "gidNumber",

//      "homeDirectory",

//      "mail",

//      "userPassword"

// );

/**                                         **/

/** Hidden attributes                       **/

/**                                         **/

/* You may want to hide certain attributes from being displayed in the editor screen

   Do this by adding the desired attributes to this list (and uncomment it). This

   only affects the editor screen. Attributes will still be visible in the schema

   browser and elsewhere. An example is provided below:

   NOTE: The user must be able to read the hidden_except_dn entry to be excluded. */

//$hidden_attrs = array( 'jpegPhoto', 'objectClass' );

//$hidden_except_dn = "cn=PLA UnHide,ou=Groups,c=AU";

/* Hidden attributes in read-only mode. If undefined, it will be equal to $hidden_attrs. */

// $hidden_attrs_ro = array( 'objectClass','shadowWarning', 'shadowLastChange', 'shadowMax',

//      'shadowFlag', 'shadowInactive', 'shadowMin', 'shadowExpire');

/**                                         **/

/** Read-only attributes                    **/

/**                                         **/

/* You may want to phpLDAPadmin to display certain attributes as read only, meaning

   that users will not be presented a form for modifying those attributes, and they

   will not be allowed to be modified on the "back-end" either. You may configure

   this list here:

   NOTE: The user must be able to read the read_only_except_dn entry to be excluded. */

//$read_only_attrs = array( 'objectClass' );

//$read_only_except_dn = "cn=PLA ReadWrite,ou=Groups,c=AU";

/* An example of how to specify multiple read-only attributes: */

// $read_only_attrs = array( 'jpegPhoto', 'objectClass', 'someAttribute' );

/**                                         **/

/** Unique attributes                       **/

/**                                         **/

/* You may want phpLDAPadmin to enforce some attributes to have unique values (ie:

   not belong to other entries in your tree. This (together with "unique_attrs_dn"

   and "unique_attrs_dn_pass" option will not let updates to occur with other attributes

   have the same value.

   NOTE: Currently the unique_attrs is NOT enforced when copying a dn. (Need to present a user with

   the option of changing the unique attributes. */

//$unique_attrs = array('uid','uidNumber','mail');

/**                                         **/

/** Predefined Queries (canned views)       **/

/**                                         **/

/* To make searching easier, you may setup predefined queries below: */

$q=0;

//$queries = array();

/* The name that will appear in the simple search form */

//$queries[$q]['name'] = 'User List';

/* The base to search on */

//$queries[$q]['base'] = 'dc=example,dc=com';

/* The search scope (sub, base, one) */

//$queries[$q]['scope'] = 'sub';

/* The LDAP filter to use */

//$queries[$q]['filter'] = '(&(objectClass=posixAccount)(uid=*))';

/* The attributes to return */

//$queries[$q]['attributes'] = 'cn, uid, homeDirectory';

/* If you want to configure more pre-defined queries, copy and paste the above (including the "$q++;") */

/*

$q++;

$queries[$q]['name'] = 'Samba Users';

$queries[$q]['base'] = 'dc=example,dc=com';

$queries[$q]['scope'] = 'sub';

$queries[$q]['filter'] = '(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(!(uid=*$)))';

$queries[$q]['attributes'] = 'uid, smbHome, uidNumber';

$q++;

$queries[$q]['name'] = 'Samba Computers';

$queries[$q]['base'] = 'dc=example,dc=com';

$queries[$q]['scope'] = 'sub';

$queries[$q]['filter'] = '(&(objectClass=sambaAccount)(uid=*$))';

$queries[$q]['attributes'] = 'uid, homeDirectory';

*/

?>

```

----------

## Janne Pikkarainen

Looks ok to me, not that I'd know anything about phpldapadmin.  :Very Happy: 

What if you enable more verbose logging in OpenLDAP? loglevel 255 to /etc/openldap/slapd.conf would make slapd to log conversations between phpldapadmin and slapd in a very verbose manner. Maybe that would reveal if

a) slapd is unable to find any entries matching the rootdn you specified or

b) if it decides to deny your access for some reason.

How about ACLs in /etc/openldap/slapd.conf? Do they allow you to login as root? Probably yes, since you are able to login with ldapsearch... but you never know about these things...  :Smile: 

----------

## tecknojunky

This makes no sens.  I think phpldapadmin is broken.  I'm using 0.9.7.  I upgraded to that version because 0.9.7_alpha6 (marked as stable?!?  :Confused:  ) was yielding error messages and, thus, was even worst to use.

----------

## tecknojunky

Damn!   :Sad: 

Thanks to your tip of running slapd from the console, I saw that phpldapadmin was trying to bind as uid=cn=root,dc=inet,ou=People,dc=inet.

Changing these fixed it:

```
$ldapservers->SetValue($i,'server','base',array('dc=inet'));

$ldapservers->SetValue($i,'login','attr','dn');
```

I can now sorta create objects, but I get bunches of php errors.  phpldapadmin 0.9.7 does not seem quite stable.  Am i alone thinking that  :Question: 

----------

## TJNII

I followed the tips in the last post and bam! it started working.  The strange thing is it was working, and then it stopped.  phpLDAPadmin still has some issues, and the x86 release doesn't work at all, near as I can tell.

----------

## mocsokmike

 *tecknojunky wrote:*   

> Damn!  
> 
> Thanks to your tip of running slapd from the console, I saw that phpldapadmin was trying to bind as uid=cn=root,dc=inet,ou=People,dc=inet.
> 
> Changing these fixed it:
> ...

 

Do you use IE?

I also had php errors in IE6, but it works fine in Firefox.   :Smile: 

I use phpldapadmin 0.9.7.1 on amd64.

----------

## tecknojunky

 *mocsokmike wrote:*   

> Do you use IE?

 Yuk!   :Mad: 

----------

