Asked  2 Years ago    Answers:  5   Viewed   100 times

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?

  • Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.

 Answers

3

Importing a whole library seems inefficient when all you need is essentially two lines of code...

$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}
Thursday, August 18, 2022
3

You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:

TLS_REQCERT never

This solution is not the preferred one though. You should add the required CA root to your client and ensure that the certificate is correctly generated with the server's name in it (and if my memory serves me right the complete CA chain) otherwise nothing would stop someone to perform a MITM attack.

Wednesday, October 5, 2022
 
3

As you run it from server itself, and you just want to read I would try to use :

...
if(ldap_bind($ldap))
...

According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.

Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.

Wednesday, November 23, 2022
 
5

Update

In February 2018, the php72 formula (the current version of PHP at that time) has been moved into the core Homebrew tap and renamed as php.

The homebrew/php tap has been deprecated in January 2018 and then archived on March 31, 2018. The formulas it contained are not available any more.

Since February 2018, installing PHP using Homebrew is as easy as:

$ brew install php

The older PHP versions that are still maintained can be installed using the new @ convention for versions (PHP 7.1 is [email protected]).


The original answer (not usable any more)

The PHP ecosystem lives in the homebrew/php tap. You can find there six versions of the interpreter (from 5.3 to 7.1), extensions for them and some PHP-related tools.

In order to install PHP you have to install the homebrew/php tap first (this is needed only once):

$ brew tap homebrew/php
$ brew install php70

Or you can do both operations in a single step by running:

$ brew install homebrew/php/php70

You could discover all these by searching php first:

$ brew search php
Wednesday, December 7, 2022
 
4
Will this approach using memberOf/IsMemberOf work?

It will work subject to the caveats.

Any caveats?

If it works the way the OpenLDAP implementation works, the memberOf attribute only works for entries made after it is enabled. It doesn't 'catch up'.

What about OpenLDAP or other servers? do they all support such an attribute. (I see that OpenLDAP has memberOf "overlay", but an

administrator must explicitly enable it)

You can interrogate the root DN of any LDAP server to find out whether it supports the feature. You are correct about OpenLDAP's support of this.

Tuesday, November 1, 2022
 
bozojoe
 
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 

Browse Other Code Languages