I'm developing a system for work here and, rather than have their own database for user/pass authentication, I've decided to try to tie authentication into our LDAP server.
I don't know too much about LDAP, so any constructive comments would be appreciated. Please keep in mind, I also have to keep this someone simple so anything who would take my place could be able to understand and modify it...
We go in first anonymously so we can get valid DN -- as it stands all some-odd 10,000 of our user base is in a single ou, but we're in the process of re-organizing the directory -- this is the best way to get the correct login method.
Then, using that information, we redo the search as the user, using the supplied password, to make sure they're authenticatable.
<?php
include_once("include/session.inc");
include_once("include/functions.inc");
PageTop();
LocBar("Financial Department -> Login");
if( isset($_POST['login']) && isset($_POST['password']) )
{
//LDAP stuff here.
$username = trim($_POST['login']);
$password = trim($_POST['password']);
TabTop("Authenticating...");
$ds = ldap_connect(_LDAP_SERVER_);
//Can't connect to LDAP.
if( !ds )
{
echo "Error in contacting the LDAP server -- contact ";
echo "technical services! (Debug 1)";
TabBot();
exit;
}
//Connection made -- bind anonymously and get dn for username.
$bind = @ldap_bind($ds);
//Check to make sure we're bound.
if( !bind )
{
echo "Anonymous bind to LDAP FAILED. Contact Tech Services! (Debug 2)";
TabBot();
exit;
}
$search = ldap_search($ds, "dc=corp,dc=sample,dc=com", "uid=$username");
//Make sure only ONE result was returned -- if not, they might've thrown a * into the username. Bad user!
if( ldap_count_entries($ds,$search) != 1 )
{
echo "Error processing username -- please try to login again. (Debug 3)";
redirect(_WEBROOT_ . "/login.php");
TabBot();
exit;
}
$info = ldap_get_entries($ds, $search);
//Now, try to rebind with their full dn and password.
$bind = @ldap_bind($ds, $info[0][dn], $password);
if( !$bind || !isset($bind))
{
echo "Login failed -- please try again. (Debug 4)";
redirect(_WEBROOT_ . "/login.php");
TabBot();
exit;
}
//Now verify the previous search using their credentials.
$search = ldap_search($ds, "dc=corp,dc=sample,dc=com", "uid=$username");
$info = ldap_get_entries($ds, $search);
if( $username == $info[0][uid][0] )
{
echo "Authenticated.";
TabBot();
$_SESSION['username'] = $username;
$_SESSION['fullname'] = $info[0][cn][0];
redirect(_WEBROOT_ . "/index.php");
exit;
}
else
{
echo "Login failed -- please try again.";
redirect(_WEBROOT_ . "/login.php");
TabBot();
exit;
}
ldap_close($ds);
exit;
}
?>
<form action=login.php method=post name=Auth>
<?php TabTop("Please Login"); ?>
Please log in using your user name and your
portal password:<p>
<table cellspacing=3 cellpadding=3 class=ContentBodyTable>
<tr>
<td>Username: </td>
<td><input type=text name=login size=16 maxlength=15 class=textInput></td>
</tr>
<tr>
<td>Password: </td>
<td><input type=password name=password size=16 maxlength=15 class=textInput></td>
</tr>
<tr>
<td colspan=2><input type=submit value=Authenticate class=SubmitInput style='width:100'></td>
</tr>
</table>
</form>
<?php TabBot(); ?>
<!-- Set the focus to the login text field onload. -->
<script language="JavaScript" type="text/javascript">
document.Auth.login.focus();
</script>