+ Post New Thread
Results 1 to 14 of 14
Web Development Thread, Using LDAP to authenticate users in Coding and Web Development; I have an apache 2.2.11 server with php 5.2.9 and mysql 5.1.34 running on 64bit windows server 2k3. i have ...
  1. #1
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13

    Using LDAP to authenticate users

    I have an apache 2.2.11 server with php 5.2.9 and mysql 5.1.34 running on 64bit windows server 2k3. i have enabled the ldap extensions within php, but am not sure on how to use the ldap stuff, what i would like it to do is to pick up the users system login details and display their username.

    once i have got that i would like to deny access to pages depending on which ad group they are in, which i don't know how to do either.

  2. #2

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    241
    You might find this useful:

    adLDAP - LDAP Authentication with PHP for Active Directory

    I implemented it in our whitelist filter system - works a charm.

  3. #3
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    thanks, but it looks like it is for a linux system and i am running my website on windows is it still compatitable?

  4. #4

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    241
    Not too sure, as I'm running it on *nix - could always give it a go and see how you get on

  5. #5

    Join Date
    May 2009
    Posts
    11
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Here is a PHP example script which hopefully should get you sorted.

    Code:
    <?php
    
    /* CHANGE THESE */
        $ldapBaseDomain = 'ou=users,dc=example,dc=com';
        $ldapServer = 'LDAP_SERVER';
        $ldapUsername = 'LDAP_USERNAME';
        $ldapPassword = 'LDAP_PASSWORD';
    /* CHANGE THESE */
    
    if (!empty($_POST['username']) && !empty($_POST['password'])) {
    
    	// filter out ldap wildcards
        if (!preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['username'])) {
            die('Please enter a valid username');
        }
    
        if (!$ldapConnection = @ldap_connect($ldapServer)) {
            die('Could not connect to ldap server');
        }
    
        if (!@ldap_bind($ldapConnection, $ldapUsername, $ldapPassword)) {
            die('Could not bind to ldap server');
        }
    
        if (!$ldapSearch = @ldap_search($ldapConnection, $ldapBaseDomain, 'cn=' . $_POST['username'])) {
            die('Could not complete ldap search');
        }
    
        $ldapCount = @ldap_count_entries($ldapConnection, $ldapSearch);
    
        if (!$ldapCount) {
    		die('account not found');
    	} else {
            if (!$ldapEntry = @ldap_get_entries($ldapConnection, $ldapSearch)) {
                die('Could not get ldap entry');
            }
    
            $distinguishedName = $ldapEntry[0]['distinguishedname'][0];
    
            if (empty($distinguishedName)) {
                die('Account information not found');
            }
    
            if(!@ldap_bind($ldapConnection, $distinguishedName, $_POST['password'])) {
                die('Password Incorrect');
            }
    
            echo '  <h1>Logged in successfully</h1>
                    <h2>User Details</h2>';
    
            echo '<pre>' . print_r($ldapEntry[0], true) . '</pre>';
        }
    
    } else {
        echo '  <form method="post">
                Username: <input name="username"><br>
                Password: <input name="password" type="password"><br>
                <input type="submit" value="login">
                </form>';
    }
    
    ?>

  6. Thanks to leeneilson from:

    thesk8rjesus (17th June 2009)

  7. #6
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    thank you for that it worked, but i could only get it to read from top level ou folders, we have our staff in:

    towers.school
    The Towers School
    Staff
    and then in two folders
    Teaching staff
    &
    Non teaching staff

    how can i get it to read both of these Ou's?

    or read from any of the OU's within staff and further down
    Last edited by thesk8rjesus; 17th June 2009 at 11:23 AM.

  8. #7

    Join Date
    May 2009
    Posts
    11
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Glad I could help.

    The $ldapBaseDomain variable is the base from which you search for users, so adjusting the level will allow you to set where to search from, but it should then search for everything in that

  9. #8
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    Quote Originally Posted by leeneilson View Post
    The $ldapBaseDomain variable is the base from which you search for users, so adjusting the level will allow you to set where to search from, but it should then search for everything in that
    Okay so i changed the ou="the towers school" but i get the message saying 'account not found' but i know the user is there

    the towers school>staff>teaching staff>ict>user

  10. #9

    Join Date
    May 2009
    Posts
    11
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    If you remove the @ character from code then error messages will no longer be surpressed, which might give a more meaningful error message.

    Apart from that I'm not sure what's going on

  11. #10

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    what have you put for this line?

    $ldapBaseDomain = 'ou=users,dc=example,dc=com';

  12. #11
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    i have

    $ldapBaseDomain = 'ou=The Towers School,dc=towers,dc=school';

    i can now get it finding out student accounts but recieving 'Account Not Found' when looking for teachers. what i believe that the problem is, is that its not looking far enough down and only going 4 levels

    Ou>ou>ou>user

    but we have

    The Towers School>Staff>Teaching>Dept>user

    also is there a way that i could get it to look at only whats in the staff ou?

  13. #12

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Quote Originally Posted by thesk8rjesus View Post
    i have

    $ldapBaseDomain = 'ou=The Towers School,dc=towers,dc=school';

    also is there a way that i could get it to look at only whats in the staff ou?
    $ldapBaseDomain = 'ou=Dept,ou=Teaching,ou=Staff,ou=The Towers School,dc=towers,dc=school';

  14. #13
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    Quote Originally Posted by localzuk View Post
    $ldapBaseDomain = 'ou=Dept,ou=Teaching,ou=Staff,ou=The Towers School,dc=towers,dc=school';
    Okay i have done this and i am still recieving the same error message 'Account Not Found' but i that it is there.

  15. #14
    thesk8rjesus's Avatar
    Join Date
    Sep 2008
    Posts
    107
    Thank Post
    11
    Thanked 6 Times in 6 Posts
    Rep Power
    13
    sorted out why it wasn't working it was looking at 'full name' and as we have changed full names it could find the account is there a way that i can get it to look at the usernames possibly a change of this line

    $distinguishedName = $ldapEntry[0]['distinguishedname'][0];

SHARE:
+ Post New Thread

Similar Threads

  1. Authenticate IIS against AD transparently
    By FN-GM in forum Web Development
    Replies: 19
    Last Post: 22nd September 2010, 10:53 PM
  2. Authenticate when opening attachments
    By darrenu in forum Office Software
    Replies: 2
    Last Post: 27th January 2009, 12:02 PM
  3. Replies: 1
    Last Post: 28th August 2008, 03:13 PM
  4. Transparently Authenticate Outlook Web Access
    By FN-GM in forum How do you do....it?
    Replies: 2
    Last Post: 2nd July 2008, 01:18 PM
  5. Replies: 5
    Last Post: 21st February 2007, 04:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •