Authenticating in PHP using LDAP through Active Directory

Question

I m looking for a way to authenticate users through LDAP with PHP  with Active Directory being the provider   Ideally  it should be able to run on IIS 7  adLDAP does it on Apache   Anyone had done anything similar  with success    Edit  I d prefer a library class with code that s ready to go    It d be silly to invent the wheel when someone has already done so

User · Answer

You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:

You must validate input. An empty username/password would pass otherwise.
You should ensure the username/password is properly encoded when binding.
You should be encrypting the connection using TLS.
Using separate LDAP servers for redundancy in case one is down.
Getting an informative error message if authentication fails.

It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more). It can be used like the following:

use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;

$domain = (new DomainConfiguration('example.com'))
    ->setUsername('username') # A separate AD service account used by your app
    ->setPassword('password')
    ->setServers(['dc1', 'dc2', 'dc3'])
    ->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);

if (!$ldap->authenticate($username, $password, $message)) {
    echo "Error: $message";
} else {
    // Do something...
}

The authenticate call above will:

Validate that neither the username or password is empty.
Ensure the username/password is properly encoded (UTF-8 by default)
Try an alternate LDAP server in case one is down.
Encrypt the authentication request using TLS.
Provide additional information if it failed (ie. locked/disabled account, etc)

There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.

User · Answer

I do this simply by passing the user credentials to ldap bind     http   php net manual en function ldap-bind php  If the account can bind to LDAP  it s valid  if it can t  it s not  If all you re doing is authentication  not account management   I don t see the need for a library

User · Answer

Importing a whole library seems inefficient when all you need is essentially two lines of code      ldap   ldap connect  ldap example com    if   bind   ldap bind  ldap    POST  username      POST  password            log them in    else        error message

User · Answer

Importing a whole library seems inefficient when all you need is essentially two lines of code      ldap   ldap connect  ldap example com    if   bind   ldap bind  ldap    POST  username      POST  password            log them in    else        error message

User · Answer

PHP has libraries  http   ca php net ldap  PEAR also has a number of packages  http   pear php net search php q ldap amp in packages amp x 0 amp y 0  I haven t used either  but I was going to at one point and they seemed like they should work

User · Answer

I like the Zend Ldap Class  you can use only this class in your project  without the Zend Framework

User · Answer

I do this simply by passing the user credentials to ldap bind     http   php net manual en function ldap-bind php  If the account can bind to LDAP  it s valid  if it can t  it s not  If all you re doing is authentication  not account management   I don t see the need for a library

User · Answer

Importing a whole library seems inefficient when all you need is essentially two lines of code      ldap   ldap connect  ldap example com    if   bind   ldap bind  ldap    POST  username      POST  password            log them in    else        error message

User · Answer

For those looking for a complete example check out http   www exchangecore com blog how-use-ldap-active-directory-authentication-php    I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server  IIS6  and from a windows server 2012 enterprise running IIS 8

User · Answer

You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:

You must validate input. An empty username/password would pass otherwise.
You should ensure the username/password is properly encoded when binding.
You should be encrypting the connection using TLS.
Using separate LDAP servers for redundancy in case one is down.
Getting an informative error message if authentication fails.

It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more). It can be used like the following:

use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;

$domain = (new DomainConfiguration('example.com'))
    ->setUsername('username') # A separate AD service account used by your app
    ->setPassword('password')
    ->setServers(['dc1', 'dc2', 'dc3'])
    ->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);

if (!$ldap->authenticate($username, $password, $message)) {
    echo "Error: $message";
} else {
    // Do something...
}

The authenticate call above will:

Validate that neither the username or password is empty.
Ensure the username/password is properly encoded (UTF-8 by default)
Try an alternate LDAP server in case one is down.
Encrypt the authentication request using TLS.
Provide additional information if it failed (ie. locked/disabled account, etc)

There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.

User · Answer

For those looking for a complete example check out http   www exchangecore com blog how-use-ldap-active-directory-authentication-php    I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server  IIS6  and from a windows server 2012 enterprise running IIS 8

User · Answer

I do this simply by passing the user credentials to ldap bind     http   php net manual en function ldap-bind php  If the account can bind to LDAP  it s valid  if it can t  it s not  If all you re doing is authentication  not account management   I don t see the need for a library

User · Answer

I like the Zend Ldap Class  you can use only this class in your project  without the Zend Framework

User · Answer

I do this simply by passing the user credentials to ldap bind     http   php net manual en function ldap-bind php  If the account can bind to LDAP  it s valid  if it can t  it s not  If all you re doing is authentication  not account management   I don t see the need for a library

User · Answer

PHP has libraries  http   ca php net ldap  PEAR also has a number of packages  http   pear php net search php q ldap amp in packages amp x 0 amp y 0  I haven t used either  but I was going to at one point and they seemed like they should work

User · Answer

PHP has libraries  http   ca php net ldap  PEAR also has a number of packages  http   pear php net search php q ldap amp in packages amp x 0 amp y 0  I haven t used either  but I was going to at one point and they seemed like they should work

User · Answer

PHP has libraries  http   ca php net ldap  PEAR also has a number of packages  http   pear php net search php q ldap amp in packages amp x 0 amp y 0  I haven t used either  but I was going to at one point and they seemed like they should work

User · Answer

I like the Zend Ldap Class  you can use only this class in your project  without the Zend Framework

User · Answer

Importing a whole library seems inefficient when all you need is essentially two lines of code      ldap   ldap connect  ldap example com    if   bind   ldap bind  ldap    POST  username      POST  password            log them in    else        error message

User · Answer

I like the Zend Ldap Class  you can use only this class in your project  without the Zend Framework

[php] Authenticating in PHP using LDAP through Active Directory

Examples related to php

Examples related to authentication

Examples related to active-directory

Examples related to ldap