I'm developing a system for work here and, rather than have their own database for user/pass authentication, I've decided to try to tie authentication into our LDAP server.

I don't know too much about LDAP, so any constructive comments would be appreciated. Please keep in mind, I also have to keep this someone simple so anything who would take my place could be able to understand and modify it...

We go in first anonymously so we can get valid DN -- as it stands all some-odd 10,000 of our user base is in a single ou, but we're in the process of re-organizing the directory -- this is the best way to get the correct login method.

Then, using that information, we redo the search as the user, using the supplied password, to make sure they're authenticatable.

<?php
include_once("include/session.inc");
include_once("include/functions.inc");

PageTop();
LocBar("Financial Department -> Login");

if( isset($_POST['login']) && isset($_POST['password']) )
{
    //LDAP stuff here.
    $username = trim($_POST['login']);
    $password = trim($_POST['password']);

TabTop("Authenticating...");
$ds = ldap_connect(_LDAP_SERVER_);

//Can't connect to LDAP.
if( !ds )
{
    echo "Error in contacting the LDAP server -- contact ";
    echo "technical services!  (Debug 1)";
    TabBot();
    exit;
}

//Connection made -- bind anonymously and get dn for username.
$bind = @ldap_bind($ds);

//Check to make sure we're bound.
if( !bind )
{
    echo "Anonymous bind to LDAP FAILED.  Contact Tech Services! (Debug 2)";
    TabBot();
    exit;
}

$search = ldap_search($ds, "dc=corp,dc=sample,dc=com", "uid=$username");

//Make sure only ONE result was returned -- if not, they might've thrown a * into the username.  Bad user!
if( ldap_count_entries($ds,$search) != 1 )
{
    echo "Error processing username -- please try to login again. (Debug 3)";
    redirect(_WEBROOT_ . "/login.php");
    TabBot();
    exit;
}

$info = ldap_get_entries($ds, $search);

//Now, try to rebind with their full dn and password.
$bind = @ldap_bind($ds, $info[0][dn], $password);
if( !$bind || !isset($bind))
{
    echo "Login failed -- please try again. (Debug 4)";
    redirect(_WEBROOT_ . "/login.php");
    TabBot();
    exit;
}

//Now verify the previous search using their credentials.
$search = ldap_search($ds, "dc=corp,dc=sample,dc=com", "uid=$username");

$info = ldap_get_entries($ds, $search);
if( $username == $info[0][uid][0] )
{
    echo "Authenticated.";
    TabBot();
    $_SESSION['username'] = $username;
    $_SESSION['fullname'] = $info[0][cn][0];
    redirect(_WEBROOT_ . "/index.php");
    exit;
}
else
{
    echo "Login failed -- please try again.";
    redirect(_WEBROOT_ . "/login.php");
    TabBot();
    exit;
}
ldap_close($ds);
exit;
}
?>

<form action=login.php method=post name=Auth>

<?php TabTop("Please Login"); ?>
Please log in using your user name and your 
portal password:<p>

<table cellspacing=3 cellpadding=3 class=ContentBodyTable>
   <tr>
      <td>Username: </td>
      <td><input type=text name=login size=16 maxlength=15 class=textInput></td>
   </tr>
   <tr>
      <td>Password: </td>
      <td><input type=password name=password size=16 maxlength=15 class=textInput></td>
   </tr>
   <tr>
      <td colspan=2><input type=submit value=Authenticate class=SubmitInput style='width:100'></td>
   </tr>
</table>
</form>
<?php TabBot(); ?>

<!-- Set the focus to the login text field onload. -->
<script language="JavaScript" type="text/javascript">
   document.Auth.login.focus();
</script>
    4 months later

    Hi,

    Did you ever get a resolution to this or get it working. I am new to PHP and want to be able to get the users fullname from their login credentials.

    I have done this in ASP before using a server side component called ASPUser. I could get the users login details from server variables and then passing that to the server side component I could get the users fullname.

    We now have a forum developed in PHP and we want to be able to do the same thing.

    Can you help please.

    Thanks

      This code works fine -- this board is for critique of the finished product. 🙂

      You should be able to plug in your LDAP server and get some results. Be sure to check out php.net's info on the LDAP functions -- lots of helpfull examples there!

      Gluck.

        3 years later

        This looks great and I'd like to use it, but what goes in session.inc and functions.inc?

        Wynder wrote:

        I'm developing a system for work here and, rather than have their own database for user/pass authentication, I've decided to try to tie authentication into our LDAP server.

        I don't know too much about LDAP, so any constructive comments would be appreciated. Please keep in mind, I also have to keep this someone simple so anything who would take my place could be able to understand and modify it...

          cdukes wrote:

          This looks great and I'd like to use it, but what goes in session.inc and functions.inc?

          Other stuff from the application that I used this authentication method for... session handling stuff and business logic. You can strip those two lines of code out and it should still work fine.

            What about PageTop() locbar(), etc?
            I also wanted to figure out how to store the user data into a session for later use, any examples of that?
            Thanks!

            Wynder wrote:

            Other stuff from the application that I used this authentication method for... session handling stuff and business logic. You can strip those two lines of code out and it should still work fine.

              cdukes wrote:

              What about PageTop() locbar(), etc?

              At a wild guess I'd say that PageTop() outputs the top of the HTML page, locbar() writes HTML for a location bar, TabBot(); writes the HTML for the end of a table.... all output handling and nothing LDAP-related, in other words.

                Write a Reply...