Validate credentials against Active Directory with Zend\Authentication\Adapter\Ldap (ZF2)

Question

I want to check username/password against our active directory within my ZF2-Application. I use Zend\Authentication\Adapter\Ldap for this and it works partly.

This is my code:

use Zend\Authentication\AuthenticationService;
use Zend\Authentication\Adapter\Ldap as AuthAdapter;    

$username = 'johndoe';
$password = 'xxx';

$auth = new AuthenticationService();
$adapter = new AuthAdapter(
    array('server1'=>array(
        'host' => '192.168.0.3',
        'useStartTls' => false,
        'useSsl' => false,
        'accountDomainName' => 'domain.local',
        'accountDomainNameShort' => 'DOMAIN',
        'accountCanonicalForm' => 3,
        'accountFilterFormat' => '(&(objectClass=user)(sAMAccountName=%s))',
        'baseDn' => 'CN=Users,DC=domain,DC=local',
        'bindRequiresDn' => false,
        'optReferrals' => false
    )), 
    $username, 
    $password
);

$result = $auth->authenticate($adapter);

var_dump($result);

if I set an incorrect password i get the following result:

object(Zend\Authentication\Result)#279 (3) {
  ["code":protected]=>
  int(-3)
  ["identity":protected]=>
  string(3) "johndoe"
  ["messages":protected]=>
  array(4) {
    [0]=>
    string(19) "Invalid credentials"
    [1]=>
    string(124) "0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903AA, comment:     AcceptSecurityContext error, data 52e, v1772): DOMAIN\johndoe"
    [2]=>
    string(238) "host=192.168.0.3,useStartTls=,useSsl=,accountDomainName=domain.local,accountDomainNameShort=DOMAIN,accountCanonicalForm=3,accountFilterFormat=(&(objectClass=user)(sAMAccountName=%s)),baseDn=CN=Users,DC=domain,DC=local,bindRequiresDn=,optReferrals="
    [3]=>
    string(151) "johndoe authentication failed: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772): DOMAIN\johndoe"
  }
}

with the correct password the result changes:

object(Zend\Authentication\Result)#279 (3) {
  ["code":protected]=>
  int(-1)
  ["identity":protected]=>
  string(3) "johndoe"
  ["messages":protected]=>
  array(4) {
    [0]=>
    string(22) "Account not found: johndoe"
    [1]=>
    string(68) "0x20: No object found for: (&(objectClass=user)(sAMAccountName=johndoe))"
    [2]=>
    string(238) "host=192.168.0.3,useStartTls=,useSsl=,accountDomainName=domain.local,accountDomainNameShort=DOMAIN,accountCanonicalForm=3,accountFilterFormat=(&(objectClass=user)(sAMAccountName=%s)),baseDn=CN=Users,DC=domain,DC=local,bindRequiresDn=,optReferrals="
    [3]=>
    string(95) "johndoe authentication failed: 0x20: No object found for: (&(objectClass=user)(sAMAccountName=johndoe))"
  }
}

why is no account found? Is there a problem with my accountFilterFormat?

sAMAccountName and objectClass seem to be valid. I checked this with the Sysinternals Active Directory Browser:

A similar search with this tool works fine:

Answer 1

The baseDn was wrong. You can check the path with the Active Diectory Explorer. I didn't matched this. Instead I used the standard baseDN: CN=Users,DC=domain,DC=local

I don't know, if this is SBS specific, but the correct baseDN here is: OU=SBSUsers,OU=DOMAIN,DC=domain,DC=local

Answer 2

Just a guess but maybe because objectClass is not user but top;person;...;user?