A simple LDAP Authentication script.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | <?php
$ldapconfig['host'] = 'localhost';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=localhost,dc=com';
$ldapconfig['authrealm'] = 'My Realm';
function ldap_authenticate() {
global $ldapconfig;
global $PHP_AUTH_USER;
global $PHP_AUTH_PW;
if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
$ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
$r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $PHP_AUTH_USER);
if ($r) {
$result = @ldap_get_entries( $ds, $r);
if ($result[0]) {
if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
return $result[0];
}
}
}
}
header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
header('HTTP/1.0 401 Unauthorized');
return NULL;
}
if (($result = ldap_authenticate()) == NULL) {
echo('Authorization Failed');
exit(0);
}
echo('Authorization success');
print_r($result);
?>
|
This demonstrates using LDAP for authentication. The basedn defines the base tree to start search for the uid. This script does not handle multiple uid's. If authentication is successful, the users LDAP entries are returned in an array.
Tags: security
Close, but... I think that most of the code is fine. However, with LDAP there are four results from authentication:
1) login fails, not a user
2) authenticated but can't edit their own data
3) authenticated and can edit their own data
4) authenticated, can edit own data and user is application admin
Point 4 is a bit different depending on your application. In mine, my applications determine which users are admins. The other option would be to store that data in the LDAP itself.
--Tony
Fatal error: Call to unsupported or undefined function ldap_connect() in LDAP.inc. I keep getting this error. I havent beenable to figure out as whats missing?? PG
PHP must be compiled "with LDAP" Just a guess, but I think that your problem is that your PHP was not compiled "with LDAP" so it doesn't understand the LDAP functions that this script is using.
LDAPS problem??? I can search the ldap server thru ssl, and find the person's dn, but I got the 'Authorization Failed' message, when I tried to bind the person with dn and password. I wrote the similar code in Perl, and everything is fine. Any suggestion?
Help. I am new to LDAP and kinda new to PHP. I have a task to create an intranet site that allows the user to login to a secure area using their windows account. I understand that this will do that but I am having trouble configuring it to work.
What variables need to be changed and what if anything needs to be changed on the server to allow this to occur.
Thanks for you assistance.
LDAP authentication with PHP and Active Directory. There's a couple of ways to do it. You can add LDAP support to your PHP installation or try other apache modules like mod_auth_ldap. Probably the most flexible is to compile LDAP support into PHP.
All you have to do is add this to your compile line:
--with-ldap
Before you ask, no you have to compile, you can't use a binary. If you're running apache on windows you can just enable the module in your php.ini file.
You can go to www.wiggumworld.com/adldap/ for a PHP class that will work with Active Directory.
Security Vulnerability. This code example is insecure. If you are attempting to bind to an Active Directory Service which contains sensitive or private data through php you must use addslashes() or mysql_escape_string() function to properly escape meta characters out of the user submitted data. The lack of the step will result in a malicious user to sign in as any user without a password, bypassing the usual validation checks by passing special characters to the ldap application handler.
Just curious, how do I test this script making sure that my ldap works or not? I have saved the php script in my ldap server but not sure on how to run/test it against my ldap. Please advise. Cheers! DB