If you are like most companies out there, your IT department probably has everyone signing on to a Microsoft Active Directory domain. Wouldn’t it be nice to support single sign on, avoid all those seperate username/passwords littered across your intranet & save yourself some database programming? Here’s how.
First things first, you’ll need to make sure you have LDAP support installed. You can double check this by creating a php info page:
echo phpinfo();
If you run this page & see the LDAP support in there, you are good to go. If not, you’ll need to recompile PHP with ldap support by adding the –with-ldap[=DIR] option to the configure options. For sake of brevity i’ll assume you understand how to make an HTML login form. Once you have created this, you will want to capture the username & password that the user submits. Now you’ll need to connect to the ldap server:
session_start(); #make sure this is at the top of your PHP file.
$adServer = "127.0.0.1"; #replace with your AD server ip/hostname
$ldapconn = ldap_connect($adServer)
or $this->msg = "Could not connect to LDAP server.";
Now that we’re connected, you can attempt to authenticate the username/password submitted, which will return a boolean value:
$ldaprdn = $adServer . "\\" . $_POST["email"];
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
if ($ldapbind) {
$msg = "Successfully Authenticated";
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
return true;
} else {
$msg = "Invalid email address / password";
return false;
}
Now that you have stored the authenticated username/password in the users session data, you just need to run this same script before each page loads as you would with mysql user authentication.
From my experience, half the battle was getting my app to talk to the AD server, so best to be clear with your IT guys as to what you are attempting & what you need to minimize frustration . This was a pretty quick overview, so if you have any questions feel free to drop a comment and i will be happy to help. You can also check out the great documentation @ php.net.
How does the php server know the password of the user? In your story the user needs to login twice, once for windows and once for the website. How does this make a single login?
@Jim-e, all the user has to provide is their AD credentials (email/password). They are logging into the website, but using their existing login information. The PHP server takes the credentials and authenticates on their behalf against AD.
Is that the complete script above or can you post it, I ask only because the msg seems to be an object that was created that I didn’t see in the script.
Thanks
Thanks for the post, very useful. Although I had some problems running it. Here is what I changed:
replaced :
$ldaprdn = $adServer . “\\” . $_POST["email"]; with
$ldaprdn = $_POST["email"];
And $ldaprdn MUST be you AD user name not email.
Hey Vlad,
By e-mail I believe he means username@domain.extention so in short you are authenticating with your “real” username
Awesome Post. You are right that the real battle is know how to connect to the LDAP server and Communication is also very important. It helped me a lot. Thankz again.
hi – your example appears to authenticate only the administrator – how do you log someone on who is not admin?? i see a ton of samples of connect, then bind using admin, which is what i can do; but when providing userid+pw of my regular userid, fails for “invalid credentials.” what am i doing wrong?
Do you have an answer to david’s question posted 14th September? Is that right that you can only authendicate the administrator? Thanks!
We have our users restricted in AD to “LOG ON TO” only their workstation… This doesn’t seem to work unless I add the name of a DC in their LOG ON TO portion of AD, is there a work around for this? As I really don’t want to have to maintain this… Thanks for the help!
Hi, i am working on project, and i have 1 qus. how do i integrate Outlook web acces to this, means user just enter pasword once and can check mail and can browse other things as well, so he dont need to enter detail again for outlook.
@kamkaar – i’m not sure about that one. Since exchange is running on seperate server – not sure if there is way to persist that connection with a PHP script in the middle…anyone else have any ideas?
@Rolf, i’m not really sure as i’m not an AD administrator myself – sorry!
@tom & @david, my AD administrator was nice enough to let me use his admin credentials so i didn’t have to troubleshoot with a normal user account, so not sure about that one either.