[PHP] Using LDAP to authenticate users

[thesk8rjesus]

I have an apache 2.2.11 server with php 5.2.9 and mysql 5.1.34 running on 64bit windows server 2k3. i have enabled the ldap extensions within php, but am not sure on how to use the ldap stuff, what i would like it to do is to pick up the users system login details and display their username.

once i have got that i would like to deny access to pages depending on which ad group they are in, which i don't know how to do either.

[Hightower]

You might find this useful:

adLDAP - LDAP Authentication with PHP for Active Directory

I implemented it in our whitelist filter system - works a charm.

[thesk8rjesus]

thanks, but it looks like it is for a linux system and i am running my website on windows is it still compatitable?

[Hightower]

Not too sure, as I'm running it on *nix - could always give it a go and see how you get on

[leeneilson]

Here is a PHP example script which hopefully should get you sorted.

Code:

<?php

/* CHANGE THESE */
    $ldapBaseDomain = 'ou=users,dc=example,dc=com';
    $ldapServer = 'LDAP_SERVER';
    $ldapUsername = 'LDAP_USERNAME';
    $ldapPassword = 'LDAP_PASSWORD';
/* CHANGE THESE */

if (!empty($_POST['username']) && !empty($_POST['password'])) {

	// filter out ldap wildcards
    if (!preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['username'])) {
        die('Please enter a valid username');
    }

    if (!$ldapConnection = @ldap_connect($ldapServer)) {
        die('Could not connect to ldap server');
    }

    if (!@ldap_bind($ldapConnection, $ldapUsername, $ldapPassword)) {
        die('Could not bind to ldap server');
    }

    if (!$ldapSearch = @ldap_search($ldapConnection, $ldapBaseDomain, 'cn=' . $_POST['username'])) {
        die('Could not complete ldap search');
    }

    $ldapCount = @ldap_count_entries($ldapConnection, $ldapSearch);

    if (!$ldapCount) {
		die('account not found');
	} else {
        if (!$ldapEntry = @ldap_get_entries($ldapConnection, $ldapSearch)) {
            die('Could not get ldap entry');
        }

        $distinguishedName = $ldapEntry[0]['distinguishedname'][0];

        if (empty($distinguishedName)) {
            die('Account information not found');
        }

        if(!@ldap_bind($ldapConnection, $distinguishedName, $_POST['password'])) {
            die('Password Incorrect');
        }

        echo '  <h1>Logged in successfully</h1>
                <h2>User Details</h2>';

        echo '<pre>' . print_r($ldapEntry[0], true) . '</pre>';
    }

} else {
    echo '  <form method="post">
            Username: <input name="username"><br>
            Password: <input name="password" type="password"><br>
            <input type="submit" value="login">
            </form>';
}

?>

[thesk8rjesus]

thank you for that it worked, but i could only get it to read from top level ou folders, we have our staff in:

towers.school
The Towers School
Staff
and then in two folders
Teaching staff
&
Non teaching staff

how can i get it to read both of these Ou's?

or read from any of the OU's within staff and further down

[leeneilson]

Glad I could help.

The $ldapBaseDomain variable is the base from which you search for users, so adjusting the level will allow you to set where to search from, but it should then search for everything in that

[thesk8rjesus]

The $ldapBaseDomain variable is the base from which you search for users, so adjusting the level will allow you to set where to search from, but it should then search for everything in that

Okay so i changed the ou="the towers school" but i get the message saying 'account not found' but i know the user is there

the towers school>staff>teaching staff>ict>user

[leeneilson]

If you remove the @ character from code then error messages will no longer be surpressed, which might give a more meaningful error message.

Apart from that I'm not sure what's going on

[RabbieBurns]

what have you put for this line?

$ldapBaseDomain = 'ou=users,dc=example,dc=com';

[thesk8rjesus]

i have

$ldapBaseDomain = 'ou=The Towers School,dc=towers,dc=school';

i can now get it finding out student accounts but recieving 'Account Not Found' when looking for teachers. what i believe that the problem is, is that its not looking far enough down and only going 4 levels

Ou>ou>ou>user

but we have

The Towers School>Staff>Teaching>Dept>user

also is there a way that i could get it to look at only whats in the staff ou?

[localzuk]

i have

$ldapBaseDomain = 'ou=The Towers School,dc=towers,dc=school';

also is there a way that i could get it to look at only whats in the staff ou?

$ldapBaseDomain = 'ou=Dept,ou=Teaching,ou=Staff,ou=The Towers School,dc=towers,dc=school';

[thesk8rjesus]

$ldapBaseDomain = 'ou=Dept,ou=Teaching,ou=Staff,ou=The Towers School,dc=towers,dc=school';

Okay i have done this and i am still recieving the same error message 'Account Not Found' but i that it is there.

[thesk8rjesus]

sorted out why it wasn't working it was looking at 'full name' and as we have changed full names it could find the account is there a way that i can get it to look at the usernames possibly a change of this line

$distinguishedName = $ldapEntry[0]['distinguishedname'][0];