Viewed   107 times

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?

  • Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.



Importing a whole library seems inefficient when all you need is essentially two lines of code...

$ldap = ldap_connect("");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
Thursday, August 18, 2022

Authentication is a confusing mess. Here is some background.

  • LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

  • NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

  • Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.

  • mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

  • mod_auth_kerb: This is an Apache module that implements Kerberos.

  • mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

  • Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

  • mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

Friday, September 30, 2022

If you're using Apache 2.2, this is actually pretty easy. Make sure you configure Apache to have both mod_ldap and mod_authnz_ldap enabled.

Here is the minimum needed for AD ldap authentication and authorization:

<Location /path/to/repo/>
    AuthType basic
    AuthName "My Repository"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "DN of service account allowed to search"
    AuthLDAPBindPassword "Password of service account allowed to search"
    Require ldap-group DN of group allowed access to repo

For the ldap-group, don't surround the DN with quotation marks. By specifying port 3268, you will be connecting to the global catalog. I found this works much better because Apache won't get a bunch of referrals.

Wednesday, August 3, 2022

After doing some research and talking to a few system admins who would be managing this, we've settled on an two options, which should satisfy most people. I'll describe them here for those who were also interested in the outcome.

Authentication Service installed in the origanisation's DMZ

If users wish to utilise authentication with an on-premises active directory server they will be required to install an agent in their DMZ and open port 443 to it. Our service will be configured to hit this service to perform authentication.

This service will sit in the DMZ and receive authentication requests from the SaaS application. The service will attempt to bind to active directory with these credentials and return a status to indicate success or failure.

In this instance the application's forms based authentication will not change, and the user will not be aware of the authentication behind the scenes.


Similar to the first approach, a service will be installed in the client's DMZ, and port 443 will be opened. This will be an OpenId provider.

The SaaS application will be an OpenId consumer (already is for Facebook, Twitter, Google etc login).

When a user wishes to log in, the OpenId provider will be presented, asking them to enter their user name and password. This login screen would be served from the client's DMZ. The user would never enter their username or password into the SaaS application.

In this instance, the existing forms based authentication is replaced with the OpenId authentication from the service in the client's DNZ.

A third option that we're investigating is Active Directory Federated Services, but this is proprietary to Active Directory. The other two solutions support any LDAP based authentication across the internet.

Thursday, December 1, 2022

Believe I found a way to do this using the LogonUser function of advapi32.dll.

 Dim tokenHandle As New IntPtr(0)
 Const LOGON32_PROVIDER_DEFAULT As Integer = 0
 tokenHandle = IntPtr.Zero
 Dim returnValue As Boolean = LogonUser("<username>", "<domain>", "<password>", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, tokenHandle)

 Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As [String], _
                        ByVal lpszDomain As [String], ByVal lpszPassword As [String], _
                        ByVal dwLogonType As Integer, ByVal dwLogonProvider As Integer, _
                        ByRef phToken As IntPtr) As Boolean

When disconnected this appears to validate against the local cached version of the last log on.

Monday, August 15, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :