Thursday
Apr102008
How to authenticate against Active Directory using PHP
Thursday, April 10, 2008 at 6:09AM
If you are like most companies out there, your IT department probably has everyone signing on to a Microsoft Active Directory domain. Wouldn't it be nice to support single sign on, avoid all those seperate username/passwords littered across your intranet & save yourself some database programming? Here's how.
First things first, you'll need to make sure you have LDAP support installed. You can double check this by creating a php info page:
If you run this page & see the LDAP support in there, you are good to go. If not, you'll need to recompile PHP with ldap support by adding the --with-ldap[=DIR] option to the configure options. For sake of brevity i'll assume you understand how to make an HTML login form. Once you have created this, you will want to capture the username & password that the user submits. Now you'll need to connect to the ldap server:
Now that we're connected, you can attempt to authenticate the username/password submitted, which will return a boolean value:
Now that you have stored the authenticated username/password in the users session data, you just need to run this same script before each page loads as you would with mysql user authentication.
From my experience, half the battle was getting my app to talk to the AD server, so best to be clear with your IT guys as to what you are attempting & what you need to minimize frustration . This was a pretty quick overview, so if you have any questions feel free to drop a comment and i will be happy to help. You can also check out the great documentation @ php.net.
First things first, you'll need to make sure you have LDAP support installed. You can double check this by creating a php info page:
echo phpinfo();
If you run this page & see the LDAP support in there, you are good to go. If not, you'll need to recompile PHP with ldap support by adding the --with-ldap[=DIR] option to the configure options. For sake of brevity i'll assume you understand how to make an HTML login form. Once you have created this, you will want to capture the username & password that the user submits. Now you'll need to connect to the ldap server:
session_start(); #make sure this is at the top of your PHP file.
$adServer = "127.0.0.1"; #replace with your AD server ip/hostname
$ldapconn = ldap_connect($adServer)
or $this->msg = "Could not connect to LDAP server.";
Now that we're connected, you can attempt to authenticate the username/password submitted, which will return a boolean value:
$ldaprdn = $adServer . "\\" . $_POST["email"];
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
if ($ldapbind) {
$msg = "Successfully Authenticated";
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;
return true;
} else {
$msg = "Invalid email address / password";
return false;
}
Now that you have stored the authenticated username/password in the users session data, you just need to run this same script before each page loads as you would with mysql user authentication.
From my experience, half the battle was getting my app to talk to the AD server, so best to be clear with your IT guys as to what you are attempting & what you need to minimize frustration . This was a pretty quick overview, so if you have any questions feel free to drop a comment and i will be happy to help. You can also check out the great documentation @ php.net.
in active directory, how to, ldap, php, tech
active directory, how to, ldap, php, tech 
Reader Comments (31)
How does the php server know the password of the user? In your story the user needs to login twice, once for windows and once for the website. How does this make a single login?
@Jim-e, all the user has to provide is their AD credentials (email/password). They are logging into the website, but using their existing login information. The PHP server takes the credentials and authenticates on their behalf against AD.
Is that the complete script above or can you post it, I ask only because the msg seems to be an object that was created that I didn't see in the script.
Thanks
Thanks for the post, very useful. Although I had some problems running it. Here is what I changed:
replaced :
$ldaprdn = $adServer . "\\" . $_POST["email"]; with
$ldaprdn = $_POST["email"];
And $ldaprdn MUST be you AD user name not email.
Hey Vlad,
By e-mail I believe he means [email protected] so in short you are authenticating with your "real" username
Awesome Post. You are right that the real battle is know how to connect to the LDAP server and Communication is also very important. It helped me a lot. Thankz again.
hi - your example appears to authenticate only the administrator - how do you log someone on who is not admin?? i see a ton of samples of connect, then bind using admin, which is what i can do; but when providing userid+pw of my regular userid, fails for "invalid credentials." what am i doing wrong?
Do you have an answer to david's question posted 14th September? Is that right that you can only authendicate the administrator? Thanks!
We have our users restricted in AD to "LOG ON TO" only their workstation... This doesn't seem to work unless I add the name of a DC in their LOG ON TO portion of AD, is there a work around for this? As I really don't want to have to maintain this... Thanks for the help!
Hi, i am working on project, and i have 1 qus. how do i integrate Outlook web acces to this, means user just enter pasword once and can check mail and can browse other things as well, so he dont need to enter detail again for outlook.
@kamkaar - i'm not sure about that one. Since exchange is running on seperate server - not sure if there is way to persist that connection with a PHP script in the middle...anyone else have any ideas?
@Rolf, i'm not really sure as i'm not an AD administrator myself - sorry!
@tom & @david, my AD administrator was nice enough to let me use his admin credentials so i didn't have to troubleshoot with a normal user account, so not sure about that one either.
Don't store the user's password in a session. Also, don't hit AD on every single page load.
Store only the user's name in the sesssion variable along with a boolean for their auth status and the time that they logged in. You can then use the time they logged in to kill the session after so much time or inactivity.
Thanks for this script, easier to authenticate through active directory than LDAP.
You only need the server's ip/name, username plus full domain and password that's it.
Tried it and it worked like magic
Tony
I'm trying to figure out how this works.
Does it works on IIS?
After AD verification what user is used by web server to operate? Just verified user of some IUSR?
Thanks
correction on previous ....
Just verified user or some IUSR?
Thanks
hi!
If you only enter a username or nothing at all, ldap_bind will evaluate to TRUE.
Only if you enter a username and wrong password, you'll get FALSE
- if your LDAP-Server allows anonymous logins.
br Bernhard
hi
how can i connect the active directory to my webpage using php?
Bernhard is right, you need to add a piece of code in order not to allow blank password fields. Useful guide anyways!
Thanks for this post. It was very helpful for someone who hadn't used php5-ldap before.
I tend to agree with Jim-E, this is an example of common sign on.
If the user has already logged into the domain how do we authenticate using that login?
This is still a useful post, thanks for the information David.
Thanks a lot, very useful
Mine is a basic question about the format of a password in the Active Directory.
In the UK, the pound sign (£) is a valid keyboard character (above the digit 3) but tests that I have done seem to show that authentication will fail for someone who has a £ symbol in their password.
Is this a hard and fast rule or is there a way round it??
This code doesn't work for me and I need some help.
I'm on a Windows NT network, the bind always fail and it throws an error saying "Unable to bind to server: Can't contact LDAP server"
please advise.