Validate user in win domain?

byp

Hi,

it`s possible to validate a windows user in a windows domain from PHP?

I mean, in a login form, instead of validating the user in my own database, valitate the user as a domain user.

y run PHP4 in an apache 1.3 on win2000 (and other in XP)

thanks anyway

Bernardo.

PS: if there is a thread relative to this please send me the link, i didnt find any.

scrupul0us

if u have LDAP compiled/configured with your PHP installation then yes... i have a ready to role script for this

byp

I have recently installed LDAP support. I don't know if I do it well., but if you lend me those scripts I could try.

scrupul0us

start here, using an example from php.net to get yourself familiar with how it works:

<?php
// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("localhost");  // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";

if ($ds) {
   echo "Binding ...";
   $r=ldap_bind($ds);    // this is an "anonymous" bind, typically
                           // read-only access
   echo "Bind result is " . $r . "<br />";

   echo "Searching for (sn=S*) ...";
   // Search surname entry
   $sr=ldap_search($ds, "o=My Company, c=US", "sn=S*"); 
   echo "Search result is " . $sr . "<br />";

   echo "Number of entires returned is " . ldap_count_entries($ds, $sr) . "<br />";

   echo "Getting entries ...<p>";
   $info = ldap_get_entries($ds, $sr);
   echo "Data for " . $info["count"] . " items returned:<p>";

   for ($i=0; $i<$info["count"]; $i++) {
       echo "dn is: " . $info[$i]["dn"] . "<br />";
       echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
       echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
   }

   echo "Closing connection";
   ldap_close($ds);

} else {
   echo "<h4>Unable to connect to LDAP server</h4>";
}
?>

if u can get that to work properly then i can send you my LDAP package later tonight (im at work currently) around 8pm EST if u provide me with your email address via PM...

byp

Ok, but before trying to run this code I must understand some things about LDAP

How could I know the LDAP server knowing only the domain name? it is possible?

I must install something else different to the PHP dlls to be able to use LDAP?

thanks

scrupul0us

if php is compiled with LDAP then no, nothing extra is needed, you can use the LDAP functionality

as for the sever.. u can provide the IP address or the FQDN (Fully Qualified Domain Name) of the server... so it could be the .com address of the server... you might ask your IT Manager... i did some looking around and found it in the windows registry since it logs your past logon attempts and to where... search your windows registry for LDAP:// and the value should give you some clue

an example:

LDAP://OU=Users,OU=Centers,OU=sei,DC=ldap,DC=mysite,DC=com

in this instance you just want the DC bits (domain controller)... so the server for LDAP would be @ ldap.mysite.com

dont make changes to your registry, just LOOK!

byp

Ok scropolous , it works!, I could find the name of the LDAP server, and connect to it, as an anonymous bind

I'm ready for the next stage!!!

scrupul0us

awesome... the next thing id toy around with connecting using a user name and password:

$ad = ldap_connect($ldap_server) 
ldap_bind($ad,$ldap_user,$ldap_password)

for my usage my username was:

mylogin@mysite.com and the password was my normal password

if u can get that working your even better off 🙂

byp

that works scrupul0us, if the user is a valid user in the win domain it can login in the LDAP server.

I was thinking that this would be a way to validate users in the domain, but,
don't you think that this is a careless way to validate users? I mean, trying to login with the user that I recive from the form is a valid method?, perhaps there is other elegant way to do it using LDAP.

byp

that works scrupul0us, if the user is a valid user in the win domain it can login in the LDAP server.

I mean:

$user = $_POST['usuario'];
$pas  = $_POST['pass'];
$user = "ntdom1\\".$user;

error_reporting(1);
$ad = ldap_connect("LDAP server");
if (ldap_bind($ad,$user,$pas)) {
	echo "usuario válido en NTDOM1"; //continue script
}else {

echo "usuario NO válido en NTDOM1";
    exit;
}

scrupul0us

well think about it... if the user is supplying a correct name and password then they are authenticated... thats what u had asked for... what ive given u so far isnt elegant per-se but u can dress it up and add some other PHP checks for user input and such, but it does what you want; validate a windows domain user using PHP

byp

OK scrupul0us, thank you for the help!!!

bye bye

Bernardo.-

scrupul0us

let me know if u have any other difficulties... it took me a good week or so to get everything setup and working the way i wanted it... i also emulated a windows 2000 login environment too so it looked more familiar to my users... but down and dirty what u have thus far will do the trick!

dont forget to mark the thread resolved using the threads tools menu