Suggestions wanted: Authenticating users against LDAP using PHP

seamus

Right, this is something I've been mulling over since this morning. I have a username/password logon system set up for part of an intranet site, but it's not live yet.
I've been thinking about integrating the authentication with Active Directory using LDAP. This saves people having to remember multiple passwords, and it will make setting up new users on the system easier, since all that has to be supplied is an NT logon.

The only thing is keeping the logon persistent over the connection. The method for authenticating against ldap uses the NT logon and the plaintext password. So I don't want to store the NT logon and the password, in a cookie, in plaintext on the machine (to authenticate them for each page).

Would a session be the best way to go? It's still possible that it could be used by someone other than the authenticated user, but no more than a cookie on the browser I guess - and the username and password wouldn't be stored in plaintext on the machine.

Or perhaps some sort of two-way encrypting of the data, so that it's not stored either on the machine or server in recognisable format?

hostyle

seamus wrote:

I've been thinking about integrating the authentication with Active Directory using LDAP. This saves people having to remember multiple passwords, and it will make setting up new users on the system easier, since all that has to be supplied is an NT logon.

I remember doing something like this ages ago, but I don't have the source code anymore or work at that company anymore. Theres a way of triggering the browser (or IE at least - in fact it probably only works in IE) to send its Windows credentials automagically to the server. Can't for the life of me remember how though

Actually, the more I think about it - it may have been an IIS thing, so that may not be of any use to you at all.

seamus

I've certainly figured out how to get IE to tell IIS the username (Just disable anonymous access). And this would in fact be good enough, since if IE is relaying the username, then it stands to reason that the correct person has authenticated on the domain.

It's an Intranet server that the web team are very protective of though, even our server team don't have admin access on it! So I'd like to avoid going down the server config route (plus it's more fun when you try to do it the hard way ). At the moment all my testing is done on an IIS server on my local machine in work.

Zaltais

What you probably really want is NTLM which is similar to http basic authentication. It's built in to IIS and IE and just needs to be enabled for a directory or virtual host. The user is authenticated by a (client side) pre-encoded version of their NT login and password against the PDC (Primary Domain Controller). While not available out of the box on Mozilla browsers, there is an add on AFAIK. Similarly mod_ntlm will allow an apache server to provide the same functionality. It's all server side configuration though, so it may not be practical / possible for you to implement in your situation.

flamegrill

seamus my dear friend, how are you?

anyways enough of that. I can't say this works, its not tested etc etc however it may give you a head start.

[PHP]// connect to LDAP server
$ldap = ldap_connect("172.17.1.11") or die("Cannot connect to the ldap
server ");
$oudc = "cn=Users, dc=thompsonhealth, dc=org";
$searchdc = "dc=thompsonhealth, dc=org";
$dn2 = "cn=ldap, ".$oudc;
$password = "password";
$auth = false;
//look up OU
if (!($res = ldap_bind($ldap,$dn2,$password)))
{
print(ldap_error($ldap) . "<br>");
die("Could not bind to $dn");
}
else
{
// set search critia for OU
$filter = "samaccountname=".$_POST;
// search OU
$sr = ldap_search($ldap,$searchdc,$filter);
if (!$sr)
{
die("search failed\n");
}
else
{
// get fields from search
$info = ldap_get_entries($ldap,$sr);
if ($info["count"] == 0)
{
$auth = false;
}
else
{
$auth = true;
$user_cn = $info[0]["cn"][0];
}
// disconnect from LDAP server
ldap_unbind($ldap);
}
}
if ($auth == false)
{
die("Could not authenticate you to the Active Directory Server.");
}

$ldap = ldap_connect("172.17.1.11") or die("Cannot connect to AD server ");
$oudc = "cn=users, dc=thompsonhealth, dc=org";
$dn2 = "cn=".$user_cn.", ".$oudc;
$password = $_POST;

//look up OU
if (!($res = ldap_bind($ldap,$dn2,$password)))
{
$login = 0;
$message = "Invalid Active Directory Password.";
}
else
{
$sr = ldap_search($ldap,"dc=thompsonhealth, dc=org","cn=".$user_cn);
$info = ldap_get_entries($ldap,$sr);
$login = 1;
$message = "You have successfully logged in to Active Directory.<br>
<ul>
<li>Email : ".$info[0][0]."</li>
<li>Phone Number : ".$info[0][0]."</li>
</ul>";
}[/PHP]

the original email can be found at http://lists.nyphp.org/pipermail/talk/2004-February/008171.html

flamegrill

http://forums.devshed.com/t74683/s.html and http://www.developer.com/lang/php/article.php/3100951 may also shed some light on what you are doing.

oh btw, google ... that wonderus new search engine thing ... good starting point

seamus

Thanks flamey, that's gives a few extra ideas for the code I have. Still doesn't answer my question though (I think)

flamegrill

just use sessions.

Serbian

flamegrill wrote:

just use sessions.

He could do that but the whole point of asking this question is that he wants to save people having to remember passwords and to have seemless integration with Windows.

I do agree that sessions would just be easier though, particularly since Seamus doesn't have control of the server.