Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
January 28 2018 - How to Connect PHP to LDAP

How to Connect PHP to LDAP

The other day I needed to connect PHP to my organization's LDAP/Active Directory server. I hadn't done this before and found it pretty difficult/annoying.

Hopefully, this will help someone else in the future or even just the future version of me if I have to do this again. I've heavily commented the code below for clairity. We are just outputing a form that asks for the LDAP credentials. If we do not have any relevant $_POST values submitted to our webpage/server we output the form. Otherwise, we will attempt to login to the LDAP server with the credentials provided and retrive some of the user's information.

Now that the user has passed authentication, you could check to see if the user is part of a certain group or has certain value(s) associated with their account.

<?php
// Check if we have $_POST values.
// If we do, use them to attempt to authenticate with the LDAP server.
if(isset($_POST['username']) && isset($_POST['password'])) {
$ldap = ldap_connect('ldap://idir.bcgov'); // Replace `idir.bcgov` with your own organization's server address.
$username = $_POST['username'];
$password = $_POST['password'];
$ldaprdn = 'idir'.'\\'.$username; // Replace `idir` with your own organization's user domain.
// I found these LDAP options worked the best with my organization's server. Milage will vary.
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = @ldap_bind($ldap, $ldaprdn, $password);
// Check if we have a connection.
// Did our LDAP connection get established with the credentials provided?
// If not, perhaps the credentials are incorrect.
if ($bind) {
// Lookup a common LDAP value.
$filter = "(sAMAccountName=$username)";
$result = ldap_search($ldap, "DC=idir,DC=BCGOV", $filter); // Replace `DC=idir,DC=BCGOV` with the LDAP "directory" that you want to use for your query.
// Sort the returned results from Active Directory.
ldap_sort($ldap, $result, "sn");
// The user's info/data.
$info = ldap_get_entries($ldap, $result);
for ($i = 0; $i < $info["count"]; $i++) {
if ($info['count'] > 1) {
break;
}
echo "You are accessing the user: ".$info[$i]["sn"][0].", ".$info[$i]["givenname"][0]." (samaccountname: ".$info[$i]["samaccountname"][0].")".PHP_EOL;
// echo '<pre>';
// var_dump($info);
// echo '</pre>';
// Example: A common LDAP value (`distinguishedname`).
$userDn = $info[$i]["distinguishedname"][0];
}
// Just for kicks, output all of the returned entries.
print_r($info);
// Close the connection to LDAP.
@ldap_close($ldap);
} else {
// Our credentials did not validate.
echo "Invalid email address / password";
}
} else {
?>
<!-- No $_POST username and password values sent so output the form. -->
<form action="#" method="POST">
<label for="username">Username: </label><input id="username" type="text" name="username" />
<label for="password">Password: </label><input id="password" type="password" name="password" />
<input type="submit" name="submit" value="Submit" />
</form>
<?php } ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment