Authenticating user using LDAP from PHP

php authentication ldap

56,227

Solution 1

The general procedure would be (relevant ext/ldap php commands in brackets):

connect to LDAP server using the "LDAP Host" and "LDAP port no" (ldap_connect()) and set the correct connection options (ldap_set_option()), especially LDAP_OPT_PROTOCOL_VERSION and LDAP_OPT_REFERRALS
bind to LDAP server using the "LDAP account to bind" and "LDAP account password" (ldap_bind()) - if you're authenticating against an Active Directory server you can directly use the username and password from the login page and skip all the following steps.
search the tree for a matching user entry/object by specifing the "BASE DN" and the appropriate LDAP filter - most likely something like (&(objectClass=user)(sAMAccountName=%s)) where %s should be replaced by the username to be authenticated (ldap_search())
check if the number of returned entries is 1 (if <> 1 then something has gone wrong, e.g. no user found or multiple users found)
retrive the distinguished name (DN) of this single entry (ldap_get_dn())
use the DN found in the last step to try to bind to the LDAP server with the password given at the authentication page (ldap_bind())
if the bind succeeds then everything is OK, if not, most likely the password is wrong

It's really not as hard as it sounds at first. Generally I'd propose to use some sort of standard library for authenticating against a LDAP server such as the Net_LDAP2 PEAR package or Zend_Ldap out of the Zend Framework. I have no experience with actually using Net_LDAP2 (although I know the code quite well) but Zend_Ldap works very well against Active Directory servers or ADAMS servers (which is obviously what you're working with).

This will do the trick using Zend_Ldap:

$options = array(
    'host'                 => 'ad.blueroom.ac.uk',
    'useStartTls'          => true,
    'accountDomainName'    => 'blueroom.ac.uk',
    'accountCanonicalForm' => 4,
    'baseDn'               => 'ou=bluebird,dc=bluebird,dc=ac,dc=my',
);
$ldap = new Zend_Ldap($options);
try {
    $ldap->bind('user', 'password');
} catch (Zend_Ldap_Exception $e) {
    // something failed - inspect $e
}
// bind successful
$acctname = $ldap->getCanonicalAccountName('user', Zend_Ldap::ACCTNAME_FORM_DN);

Solution 2

You might try http://code.activestate.com/recipes/101525/ while referring to http://us3.php.net/ldap and other results from a Google search for [php ldap authentication].

Solution 3

@Stephen provided good points. Here is my plain PHP code to authenticate using AD:

first you need to know this parameters: server host, user domain (you need also base dn if you want query AD).

use the following code:

$ldap = ldap_connect($host); // e.g. 165.5.54.6 or an URL
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ldap, $username.'@'.$userDomain, $passwrod);

if($bind){
// successful authentication. 
}

Solution 4

you could use http://pear.php.net/package/Net_LDAP2/docs it's nice and works.

Example of connection taken by the doc:

// Inclusion of the Net_LDAP2 package:
require_once 'Net/LDAP.php';

// The configuration array:
$config = array (
    'binddn'    => 'cn=admin,ou=users,dc=example,dc=org',
    'bindpw'    => 'password',
    'basedn'    => 'dc=example,dc=org',
    'host'      => 'ldap.example.org'
);

// Connecting using the configuration:
$ldap = Net_LDAP2::connect($config);

// Testing for connection error
if (PEAR::isError($ldap)) {
    die('Could not connect to LDAP-server: '.$ldap->getMessage());
}

View more solutions

56,227

Author by

Admin

Updated on June 04, 2020

Comments

Admin almost 4 years
My project is to make a module enrollment system for our university. So I contacted the IT people in my university for details to authenticate the students into the system. We are developing the system using the existing university login. They gave me some LDAP information, I don't know the usage of that. I'm using PHP,Mysql on an Apacha server. How can I authenticate a user logging into my system, given his userid and password with the LDAP information.

Given below is the LDAP information(i have changed the domain name etc.)

LDAP information for blueroom.ac.uk domain
```
LDAP Host : ad.blueroom.ac.uk

LDAP port no: 389

BASE DN : ou=bluebird, dc=bluebird, dc=ac, dc=my

LDAP account to bind : cn = kikdap, ou=servacc, dc=bluebird,dc=ac,dc=uk

LDAP account password : ********

Attribute : sAMAccountName 
```
on_ about 10 years

Just followed some of your steps and got this working like a charm... went the native PHP LDAP module route through.
Tyzoid almost 10 years

Just a word of caution to those who use this method: if your ldap server allows anonymous login, make sure you filter out empty passwords as invalid before attempting authentication.
Jibby over 8 years

I'm authenticating against an Active Directory server, but still had to go through all steps to 7.
Johann150 almost 6 years

Careful: Some implementations of LDAP return true on ldap_bind when the password is empty. You should probably check that the password is not empty.