Listing AD User accounts

ldap-zajdan.php

<?php

//LDAP Bind paramters, need to be a normal AD User account.
$username = 'my.user@firma-cz.local';
$password = 'moje@heslo';
$baseDN = 'DC=firma-cz,DC=local';
\ldap_set_option(NULL, \LDAP_OPT_DEBUG_LEVEL, 7);

$connection = \ldap_connect("192.168.1.6");
if ($connection === FALSE) {
    throw new \Exception('Unable to connect to the ldap server');
}
\ldap_set_option($connection, \LDAP_OPT_PROTOCOL_VERSION, 3) or
    throw new \Exception('Unable to set LDAP protocol version');
\ldap_set_option($connection, \LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.

if (@\ldap_bind($connection, $username, $password) === FALSE) {
    throw new \Exception('Unable to bind to the LDAP');
}

$searchFilter = '(|(objectCategory=person)(objectCategory=contact))';
$result = \ldap_search($connection, $baseDN, $searchFilter);
if (FALSE === $result){
    throw new \Exception('Unable to search the LDAP');
}

$entries = \ldap_get_entries($connection, $result);
echo <<<EOT
<h2>AD User Results</h2></br>
<table border = "1">
    <tr bgcolor="#cccccc">
        <td>Username</td>
        <td>Last Name</td>
        <td>First Name</td>
        <td>Company</td>
        <td>Department</td>
        <td>Office Phone</td>
        <td>Fax</td>
        <td>Mobile</td>
        <td>DDI</td>
        <td>E-Mail Address</td>
        <td>Home Phone</td>
    </tr>
EOT;

for ($x=0; $x<$entries['count']; $x++){
    $entry = new LdapEntry($entries[$x]);
    $usncreated = "CONTACT_" .  $entry->getAttribute('usncreated');
    $LDAP_samaccountname = $entry->getAttribute('samaccountname', $usncreated);
    $LDAP_LastName = $entry->getAttribute('sn');
    $LDAP_FirstName = $entry->getAttribute('givenname');
    $LDAP_CompanyName = $entry->getAttribute('company');
    $LDAP_Department = $entry->getAttribute('department');
    $LDAP_JobTitle = $entry->getAttribute('title');
    $LDAP_OfficePhone = $entry->getAttribute('ipphone');
    $LDAP_OfficeFax = $entry->getAttribute('facsimiletelephonenumber');
    $LDAP_CellPhone = $entry->getAttribute('mobile');
    $LDAP_DDI = $entry->getAttribute('telephonenumber');
    $LDAP_InternetAddress = $entry->getAttribute('mail');
    $LDAP_HomePhone = $entry->getAttribute('homephone');

    echo <<<EOT
    <tr>
        <td><strong>$LDAP_samaccountname</strong></td>
        <td>$LDAP_LastName</td>
        <td>$LDAP_FirstName</td>
        <td>$LDAP_CompanyName</td>
        <td>$LDAP_Department</td>
        <td>$LDAP_OfficePhone</td>
        <td>$LDAP_OfficeFax</td>
        <td>$LDAP_CellPhone</td>
        <td>$LDAP_DDI</td>
        <td>$LDAP_InternetAddress</td>
        <td>$LDAP_HomePhone</td>
    </tr>
EOT;
}

\ldap_unbind($connection);
echo("</table>");

LdapEntry.php

<?php

class LdapEntry {
    function __construct(array $entry) {
        $this->entry = $entry;
    }

    function getAttribute($attribute, $default="") {
        if (empty($this->entry['samaccountname'][0])) {
            return $default;
        }
        $value = $this->entry['samaccountname'][0];
        if ($value == "NULL") {
            return $default;
        }
        return $value;
    }
}

Thank You,
I am trying it right now and facing a few problems:
1)
if (FALSE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) { throw new Exception('Unable to set LDAP protocol version'); }
throw new Exception in this condition is malfunctioning (the php code is not executed correctly) - this I see In Browser Inspection

when I put in the condition instead of 'throw new Exception' echo:
if (FALSE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) { echo('Unable to set LDAP protocol version'); }
so the code runs correctly

2)
in Inspection I see that the ldap_bind return the message 'Unable to bind to the LDAP'
but on the server I do not see any error:

attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x7f7ffa5d7eb0 msgid 1
wait4msg ld 0x7f7ffa5d7eb0 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f7ffa5d7eb0 msgid 1 all 1
** ld 0x7f7ffa5d7eb0 Connections:
* host: 192.168.1.6  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Wed May 22 10:39:14 2019


** ld 0x7f7ffa5d7eb0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x7f7ffa5d7eb0 request count 1 (abandoned 0)
** ld 0x7f7ffa5d7eb0 Response Queue:
   Empty
  ld 0x7f7ffa5d7eb0 response count 0
ldap_chkResponseList ld 0x7f7ffa5d7eb0 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f7ffa5d7eb0 NULL
ldap_int_select
read1msg: ld 0x7f7ffa5d7eb0 msgid 1 all 1
ldap_err2string
ldap_search_ext
put_filter: "(|(objectCategory=person)(objectCategory=contact))"
put_filter: OR
put_filter_list "(objectCategory=person)(objectCategory=contact)"
put_filter: "(objectCategory=person)"
put_filter: simple
put_simple_filter: "objectCategory=person"
put_filter: "(objectCategory=contact)"
put_filter: simple
put_simple_filter: "objectCategory=contact"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ldap_err2string
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 1 1
ldap_free_connection: actually freed

1. Browser Inspection lies
2. You have something wrong in $ldap_base_dn or $ldap_username

1. Browser Inspection lies
2. You have something wrong in $ldap_base_dn or $ldap_username

Really can not find what is wrongly. User is set correctly, password too, DN too
Should I see something on webserver (/var/log/apache2/error.log) ? I means some return from Windows DC.

Isi it right?
$baseDN = 'DC=firma-cz,DC=local,DC=local';
or
$baseDN = 'DC=firma-cz,DC=local';

maybe:
ldap_bind($connection, "uid=$username,cn=users,$baseDN", $password); //etc...

Probably I found the problem. On the DomainController is installed just role:
'Active Directory Domain Services' but 'Active Directory Lightweight Domain Services' not.

Isi it right?
$baseDN = 'DC=firma-cz,DC=local,DC=local';
or
$baseDN = 'DC=firma-cz,DC=local';

maybe:
ldap_bind($connection, "uid=$username,cn=users,$baseDN", $password); //etc...

correct is :
$baseDN = 'DC=firma-cz,DC=local'; //but this is what I corrected already before

I installed the new role on the DC server: 'Active Directory Lightweight Domain Services'
But still on same point :( It is Windows...maybe needs restart?

Also I have tried
ldap_bind($ldap_connection, "uid=$ldap_username, cn=Users, $ldap_base_dn",$ldap_password))

the problem during bind still remains.

next attempt:
On the Windows server I launched tool LDP
made a connection - successful
and then bind:

-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
	{NtAuthIdentity: User='jana.potvora'; Pwd=<unavailable>; domain = 'firma-cz.local'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>
-----------
0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
	{NtAuthIdentity: User='www-data'; Pwd=<unavailable>; domain = 'firma-cz.local'}
Authenticated as: 'FIRMA-CZ\www-data'.
-----------

now when I try the user www-data from PHP...still same problem

$LDAP_password = \ldap_escape($password);

$LDAP_password = \ldap_escape($password);

Ok...with user www-data I am able connect in the LDP tool, so I should be able authenticate with this user from PHP, but without success.
The same problem, the bind is not successful.
Could be a problem the server requires SSL\TLS and on the machine from where runs PHP must be certificate?

Seems to be the problem is on the server.
On linux machine I installed ldap-utils and tried:

ldapsearch -x -H ldap://192.168.1.6 -D www-data@firma-cz.local -W cd=www-data
Enter LDAP Password: 
ldap_bind: Strong(er) authentication required (8)
        additional info: 00002028: LdapErr: DSID-0C090252, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1

if I understand correctly, server requires SSL, so I must on the server enable also connection without SSL\TLS