Zend_Auth_Adpter_Ldap to Active Directory - Configuration problems

Question

i am trying to figure out how to configure the Zend_Auth_Adapter_Ldap to authenticate me against our ActiveDirectory. Manually the authentication works without a problem, but i just can't get it to work using the Zend_Auth_Adapter_Ldap.

This is the bare minimum way. This works!

ldap_set_option($ldapcon, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapcon, LDAP_OPT_REFERRALS, 0);

$ldapcon = ldap_connect("ldaps://srv.dom.de", 636);
$bind = ldap_bind($ldapcon, "CN=USERNAME,OU=Benutzer,OU=DOM,DC=dom,DC=de", "PASSWORD"); 

This is how i tried configuring the Zend_Auth_Adapter_Ldap. This does not work!

ad.server2.host                = srv.dom.de
ad.server2.port                = 636
ad.server2.bindRequiresDn      = false
ad.server2.baseDn              = "OU=Benutzer,OU=DOM,DC=dom,DC=de"
ad.server2.accountFilterFormat = "CN=%s"
ad.server2.useSsl              = true
ad.server2.useStartTls         = false
;ad.server2.accountDomainName   = "dom.de"
;ad.server2.username            = "CN=TESTUSER"
;ad.server2.password            = "TESTPASS"

I tried setting the accountFilterFormat in a more AD looking way like the follwing, but it did not yield any different result...

ad.server2.accoutnFilterFormat = "(&(objectclass=user)(sAMAccountName=%s)"

The current debuf output is the following:

Ldap: 1: host=srv.dom.de,port=636,bindRequiresDn=,
         baseDn=OU=Benutzer,OU=DOM,DC=dom,DC=de,accountFilterFormat=CN=%s,
         useSsl=1,useStartTls=

Ldap: 2: USERNAME authentication failed: 0x31 
         (Invalid credentials; 80090308: LdapErr: DSID-0C090334, 
         comment: AcceptSecurityContext error, data 525, vece): USERNAME

I've tried lots of things now, trying to debug the Zend-Code itself, but i just can't figure it out. If anyone has some more insight about what options i need to set, i'll be very, very greatful!

Answer 1

This after all was just a configuration issue. Reading the docs carefully enough yielded following configuration to work:

ad.server2.host                   = srv.dom.de
ad.server2.port                   = 636
ad.server2.bindRequiresDn         = false
ad.server2.baseDn                 = "OU=Benutzer,OU=DOM,DC=dom,DC=de"
ad.server2.accountFilterFormat    = "CN=%s"
ad.server2.useSsl                 = true
ad.server2.useStartTls            = false
ad.server2.accountCanonicalForm   = 3
ad.server2.accountDomainNameShort = "dom"

And that's really all. Authentication against AD is done via Username: dom\username, therefore the accountCanonicalForm had to be set to 3, which is the backslash-style-syntax, and the accountDomainNameShort then defines the domain part of the canonical account name.

Once understood pretty logical, but figuring that out without any knowledge... well, it's working now :)