Some basic code I knocked up when playing around with this was:
Code:
// Check to make sure password isn't blank:
// PHP LDAP handling bug (?) means an empty password uses ldap_bind() annonymously, thus
// any username can be provided with no password and be authenticated via LDAP
// User would still need access within website, but wouldn't be hard to see which users login
// and then use their username...
if ($password == '') {
echo "Sorry, your username / password combination do not appear to be correct or you are simply not allowed to login. You will be re-directed back to the login page automatically";
// Stop the script to prevent the ldap_bind() connecting annonymously
exit();
}
// Connect to LDAP server for authentication
$ldapconn = ldap_connect("10.32.176.10")
or die("Sorry,there was a problem whilst trying to authenticate your username and password. You will be re-directed back to the login page automatically");
// If we have a successful LDAP connection, query the server
if ($ldapconn) {
// Create our binding based on username / password provided
$ldapbind = ldap_bind($ldapconn, $ldap_username, $password);
// If the binding was successful (correct username + password, then allow the
// user into your website
if ($ldapbind) {
Stick your code in here to redirect wherever you want
}
// Otherwise the user is not validated, so redirect them back to login
else {
Stick your code in here to redirect wherever you want
}
}
You should use secure ldap_bind which I never tried as it was just local stuff, but that simply connected in, authenticated, and then either allowed or denied access to the website. If you were wanting to pull out OU data with it, it's a bit more tricky. Also, make sure when you have your users login, the "@domain" gets added to the end of the username they enter, something like:
Code:
$loginname = $username."@domain.com"
before processing your login code after pulling the username entered from form.