0

Quite new to PHP and LDAP here, looking for some assistance with a personal project (trying to teach myself!).

I would like to password protect certain pages on our website using a simple login box.

My login.php page contains a simple login form with username and password inputs. I have managed to get the login process working using the code below. I am able to use my Active Directory username/pass to login via this form and proceed to the desired page, no issues.

However I'm not sure if I am doing it the 'correct' way.

My code;

ldap.php

session_start();

function authenticate($user, $password) {
    if(empty($user) || empty($password)) return false;
    $ldaphost = "ad.example.com"; 
    $ldap_dn = "DC=ad,DC=example,DC=com"; 
    $ldap_user_group = "Staff"; 
    $ldap_usr_dom = '@ad.example.com'; 
    $ldap = ldap_connect($ldaphost);

    if($bind = ldap_bind($ldap, $user.$ldap_usr_dom, $password) or die ("Error: ".ldap_error($ldap))) {
        $filter = "(sAMAccountName=".$user.")";
        $attr = array("");
        $result = ldap_search($ldap, $ldap_dn, $filter) or exit("Unable to search LDAP server") or die ("Error searching: ".ldap_error($ldap));
        $entries = ldap_get_entries($ldap, $result);
        ldap_unbind($ldap); 
    }   

    foreach($entries[0]['memberof'] as $grps) {
        if(empty($grps) || empty($ldap_user_group)) return false;
        if(strpos($grps, $ldap_user_group)) {
            $access = 1;
        } else {
        }
    }

    if($access != 0) {
            $_SESSION['user'] = $user;
            $_SESSION['access'] = $access;
            return true;
        }  else {
        return false;
    }
}

I've been told (by someone else) that this particular LDAP authentication process should work in two steps, as follows;

  • A search is made for the entered user name. I would recommend you use a search user DN and password for this – a user that has search permissions. It binds with these credentials before making the search. If the search succeeds it retrieves the DN of the found user and the search attribute which will later be used to look up the member record.
  • A second bind is then made with the retrieved user DN and the entered password. If this bind succeeds then the user is authenticated.

My questions are;

  • Is the above statement correct?
  • Are two 'binds' necessary?
  • Can't I just bind the LDAP connection with the credentials the user entered?

Any advice is appreciated, I'm struggling to get my head round the authentication process really :s

Improve this question

1 Answer 1

Reset to default
1

Short Answers:

  • yes
  • yes
  • no

Long answer: Currently you can only bind with the users username and email-address. And that only works with AD as backend. So when you want to do an AD-Authenticator that's OK. But you specificslly asked for an LDAP-Authenticator. And an LDAP bind only works witha DN as the "username". As most of your users will not know that it's easier for them to remember an email-address or a username for a login. So you will need to find the DN to the users login-data. So you will need to do a search in the LDAP and for that you have to bind. So to bind as the user you need to bind... To get around that circular dependency you need to bind first as someone that has read access to the Directory and use that session to find the DN of the user. When found you use that DN and the user-provided password to do a second bind to verify the users credentials.

I did a talk about that just two days ago at zendcon. You can find the slides with some examples at https://heiglandreas.github.io/slidedeck/Directory_Authentication_with_LDAP/20161019%20-%20zendcon/index_online.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for this and your slides are very helpful - I could have been doing with them earlier lol :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.