Welcome, guest | Sign In | My Account | Store | Cart

A simple LDAP Authentication script.

PHP, 37 lines
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php

$ldapconfig['host'] = 'localhost';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=localhost,dc=com';
$ldapconfig['authrealm'] = 'My Realm';

function ldap_authenticate() {
    global $ldapconfig;
    global $PHP_AUTH_USER;
    global $PHP_AUTH_PW;
    
    if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
        $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
        $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $PHP_AUTH_USER);
        if ($r) {
            $result = @ldap_get_entries( $ds, $r);
            if ($result[0]) {
                if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
                    return $result[0];
                }
            }
        }
    }
    header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
    header('HTTP/1.0 401 Unauthorized');
    return NULL;
}

if (($result = ldap_authenticate()) == NULL) {
    echo('Authorization Failed');
    exit(0);
}
echo('Authorization success');
print_r($result);

?>

This demonstrates using LDAP for authentication. The basedn defines the base tree to start search for the uid. This script does not handle multiple uid's. If authentication is successful, the users LDAP entries are returned in an array.

8 comments

Tony Bibbs 19 years, 9 months ago  # | flag

Close, but... I think that most of the code is fine. However, with LDAP there are four results from authentication:

1) login fails, not a user

2) authenticated but can't edit their own data

3) authenticated and can edit their own data

4) authenticated, can edit own data and user is application admin

Point 4 is a bit different depending on your application. In mine, my applications determine which users are admins. The other option would be to store that data in the LDAP itself.

--Tony

prashanth guduru 19 years, 2 months ago  # | flag

Fatal error: Call to unsupported or undefined function ldap_connect() in LDAP.inc. I keep getting this error. I havent beenable to figure out as whats missing?? PG

Darren Addy 19 years ago  # | flag

PHP must be compiled "with LDAP" Just a guess, but I think that your problem is that your PHP was not compiled "with LDAP" so it doesn't understand the LDAP functions that this script is using.

roger ting 18 years, 11 months ago  # | flag

LDAPS problem??? I can search the ldap server thru ssl, and find the person's dn, but I got the 'Authorization Failed' message, when I tried to bind the person with dn and password. I wrote the similar code in Perl, and everything is fine. Any suggestion?

John Crutchfield 16 years, 10 months ago  # | flag

Help. I am new to LDAP and kinda new to PHP. I have a task to create an intranet site that allows the user to login to a secure area using their windows account. I understand that this will do that but I am having trouble configuring it to work.

What variables need to be changed and what if anything needs to be changed on the server to allow this to occur.

Thanks for you assistance.

Scott 16 years, 10 months ago  # | flag

LDAP authentication with PHP and Active Directory. There's a couple of ways to do it. You can add LDAP support to your PHP installation or try other apache modules like mod_auth_ldap. Probably the most flexible is to compile LDAP support into PHP.

All you have to do is add this to your compile line:

--with-ldap

Before you ask, no you have to compile, you can't use a binary. If you're running apache on windows you can just enable the module in your php.ini file.

You can go to www.wiggumworld.com/adldap/ for a PHP class that will work with Active Directory.

Jacob Williams 14 years, 11 months ago  # | flag

Security Vulnerability. This code example is insecure. If you are attempting to bind to an Active Directory Service which contains sensitive or private data through php you must use addslashes() or mysql_escape_string() function to properly escape meta characters out of the user submitted data. The lack of the step will result in a malicious user to sign in as any user without a password, bypassing the usual validation checks by passing special characters to the ldap application handler.

Dei 12 years, 1 month ago  # | flag

Just curious, how do I test this script making sure that my ldap works or not? I have saved the php script in my ldap server but not sure on how to run/test it against my ldap. Please advise. Cheers! DB

Created by Shane Caraveo on Fri, 7 Dec 2001 (MIT)
PHP recipes (51)
Shane Caraveo's recipes (5)

Required Modules

  • (none specified)

Other Information and Tasks