LDAP Authentication - PHP (Please Help) search

Question

Ok, I have changed my code from what I had before. I also found out that I didn't have the development version working! :/
My new code is better constructed, but I can't get my head around the LDAP_SEARCH bit the error I'm getting is:

Error:

Warning: ldap_search(): Search: Operations error in C:\inetpub\wwwroot\Intranet\login\index.php     on line 34
 Search on LDAP failed

My Code:

<?php
// Application specific LDAP login
$app_user = 'cn=users,dc=DOMAIN, dc=local';
$app_pass = '';

// User-provided info (either from _POST or any way else)
// You should LDAP-escape $username here since it will be
//    used as a parameter for searches, but it's not a 
//    subject of this article. That one will follow soon. :-)
$username = 'USERNAME';
$password = PASSWORD;

// Here we'll put user's DN
$userdn = 'users';

// Connect to LDAP service
$conn_status = ldap_connect('SERVER.DOMAIN.local', 389);
if ($conn_status === FALSE) {
die("Couldn't connect to LDAP service");
 }

// Bind as application
$bind_status = ldap_bind($conn_status, $app_user, $app_pass);
if ($bind_status === FALSE) {
die("Couldn't bind to LDAP as application user");
}

// Find the user's DN
// See the note above about the need to LDAP-escape $username!
$query = "(&(uid=" . $username . ")(objectClass=user))";
$search_base = "cn=users,dc=DOMAIN, dc=local";
$search_status = ldap_search(
$conn_status, $search_base, $query, array('dn')
);
if ($search_status === FALSE) {
die("Search on LDAP failed");
}

// Pull the search results
$result = ldap_get_entries($conn_status, $search_status);
if ($result === FALSE) {
die("Couldn't pull search results from LDAP");
}

if ((int) @$result['count'] > 0) {
// Definitely pulled something, we don't check here
//     for this example if it's more results than 1,
//     although you should.
$userdn = $result[0]['dn'];
}

if (trim((string) $userdn) == '') {
die("Empty DN. Something is wrong.");
}

// Authenticate with the newly found DN and user-provided password
$auth_status = ldap_bind($conn_status, $userdn, $password);
if ($auth_status === FALSE) {
die("Couldn't bind to LDAP as user!");
}

print "Authentication against LDAP succesful. Valid username and password provided.";
?>

Background Info:

The Server is on our domain and is connected to from inside the network as the service is an intranet which will not be externally exposed to the internet.

Answer 1

• The LDAP directory server to which this client connects has responded to the search request with an operation error, which is a specific LDAP result code. The directory server logs should be consulted to determine why this particular server rejected the search request.
• Search requests should always include a size limit and time limit, and a notion of whether to dereference aliases. Some APIs have the poor habit of generating errors when size limits or time limits are exceeded. These APIs should be avoided, but if PHP is one of them, specify the parameters explicitly and check that an error is not being generated and not reported properly.
• The search request lists dn as an attribute to be returned. dn is not an attribute, it is the primary key of the object for which the search is being conducted. If the LDAP client wishes to return attributes and their values from the search request, the attributes must be listed individually, or * will return all user attributes, and + will return all operational attributes (each attribute has associated with it access controls which might limit the authorization states that can retrieve attributes). If the LDAP client desires that no attributes be returned from a search, the client should use the OID 1.1 in the attribute list. The server will return just the DNs of the entries which match the search parameters in that case.

see also

• LDAP: Search best practices
• LDAP: Programming practices