php + ldap

berrance · 08-13-2005, 10:57 AM

hi does anybody know of a tutorial on how to use openldap as an authentification source instead of mysql for php.

what i am trying to do is st up user authentification on my wbsite but i want to use my existing ldap setup for several reasons.

i have been googleing for ages but keep coming unstuck the only things i have found which is similar is using Active directory as the ldap server. wich i will be trying to apply those tutorials to open ldap if possible

thanks in advance for any help or pointers

berrance

fouldsy · 08-14-2005, 07:45 AM

Some basic code I knocked up when playing around with this was:

Code:

// Check to make sure password isn't blank:
// PHP LDAP handling bug (?) means an empty password uses ldap_bind() annonymously, thus
// any username can be provided with no password and be authenticated via LDAP
// User would still need access within website, but wouldn't be hard to see which users login
// and then use their username...
if ($password == '') {
	echo "Sorry, your username / password combination do not appear to be correct or you are simply not allowed to login. You will be re-directed back to the login page automatically";

	// Stop the script to prevent the ldap_bind() connecting annonymously 
	exit();
}

// Connect to LDAP server for authentication
$ldapconn = ldap_connect("10.32.176.10")
   	or die("Sorry,there was a problem whilst trying to authenticate your username and password. You will be re-directed back to the login page automatically");

// If we have a successful LDAP connection, query the server
if ($ldapconn) {

   		// Create our binding based on username / password provided
   		$ldapbind = ldap_bind($ldapconn, $ldap_username, $password);
		
   		// If the binding was successful (correct username + password, then allow the
		// user into your website
   		if ($ldapbind) {
                          Stick your code in here to redirect wherever you want
                }

                // Otherwise the user is not validated, so redirect them back to login
                else {
                          Stick your code in here to redirect wherever you want
                }
}

You should use secure ldap_bind which I never tried as it was just local stuff, but that simply connected in, authenticated, and then either allowed or denied access to the website. If you were wanting to pull out OU data with it, it's a bit more tricky. Also, make sure when you have your users login, the "@domain" gets added to the end of the username they enter, something like:

Code:

$loginname = $username."@domain.com"

before processing your login code after pulling the username entered from form.

berrance · 08-16-2005, 06:07 AM

thanks that works a treat,

thats all i was realy looking for on google not some thing telling me what each command was and did because i didnt know how to put them together properly.

thanks again

berrance

fouldsy · 08-16-2005, 07:15 AM

Cool, glad it helped! Took me ages too work that out and it ended up being so simple, as everything on the net were all so in-depth on moving your webserver into the domain and setting up LDAP to pull out all your LDAP info when I simply wanted a username + password to be authenticated

Have fun!

berrance · 08-17-2005, 05:57 AM

That one of the majore draw backs of there been lots of documentation.

im now having the same problem but this time creating a user in ldap through php. but i think i might ask on a php forum as there will probably be more people in the know there

again thanks for the help

berrance