{"id":6418,"date":"2020-05-08T17:30:00","date_gmt":"2020-05-08T22:30:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=6418"},"modified":"2020-05-11T11:12:01","modified_gmt":"2020-05-11T16:12:01","slug":"ldap-authentication-php-and-active-directory","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=6418","title":{"rendered":"LDAP Authentication: PHP and Active Directory"},"content":{"rendered":"\n

This is a very brief function that authenticates a user against Active Directory. Because you can authenticate using a fully qualified DN, sAMAccountName, or userPrincipalName … there’s no need to use a system credential or search for the user provided you’ve got a single domain in your forest (i.e. you know what to prepend to the sAMAccountName or postpend to userPrincipalName). <\/p>\n\n\n\n

If you need to perform authorization as well as authentication, you’ll need the user’s FQDN so use the generic LDAP authentication and authorization function<\/a>. <\/p>\n\n\n

\n<?php\n    error_reporting(0);\n    #=== FUNCTION ==================================================================\n    #      NAME: activeDirectoryLDAPAuthentication\n    #      PARAMETERS: \n    #                    $strLDAPHost                   String  LDAP Server URI\n    #                    $strLogonUserID                String  Input user ID\n    #                    $strLogonUserPassword          String  Input user password\n    #     DESCRIPTION: Verify authentication againt Active Directory server.\n    #     \n    #     RETURNS: int BindReturnCode:    -2 indicates LDAP connection failure, -3 indicates user auth not attempted, >=0 is IANA-registered resultCode values (https:\/\/www.iana.org\/assignments\/ldap-parameters\/ldap-parameters.xml#ldap-parameters-6)\n    #\t\t\t\t\t\t\tNOTE: 0 is successful authentication in IANA-registered resultCode\n    #\n    #     USAGE: $iBindResult = activeDirectoryLDAPAuthentication("ldaps:\/\/ad.example.com", $strInputUserName, $strInputUserPassword)\n    #===============================================================================\n    function activeDirectoryLDAPAuthentication($strLDAPHost, $strLogonUserID, $strLogonUserPassword){\n        $iBindReturnCode = null;\n        \/\/ Validate password is not null, otherwise directory servers implementing unauthenticated bind (https:\/\/tools.ietf.org\/html\/rfc4513#section-5.1.2) will return 0 on auth attempts with null password\n        if( strlen($strLogonUserPassword) < 1){\n            $iBindReturnCode = -1;\n        }\n        else{\n            $userDS = ldap_connect($strLDAPHost);\n            if($userDS){\n                ldap_set_option($userDS, LDAP_OPT_PROTOCOL_VERSION, 3);\n\n                $userBind = ldap_bind($userDS, $strLogonUserID . '@example.com', $strLogonUserPassword);\n                $iBindReturnCode = ldap_errno($userDS);\n                ldap_close($userDS);\n            }\n            \/\/ ldap connection failed\n            else{\n                $iBindReturnCode = -2;              \n            }        \n        }\n        return $iBindReturnCode;\n    }\n\n    $iBadUser = activeDirectoryLDAPAuthentication("ldaps:\/\/ad.example.com", "xe0012345", 'N0tTh3P@s5w0rd');\n    print "\\nInvalid user: $iBadUser\\n";\n\n    $iUserAuthenticated = activeDirectoryLDAPAuthentication("ldaps:\/\/ad.example.com", "e012345", 'Go0dP@s5w0rdH3r3');\n    print "\\nGood password: $iUserAuthenticated\\n";\n\n    $iBadPassword = activeDirectoryLDAPAuthentication("ldaps:\/\/ad.example.com", "e0012345", 'N0tTh3P@s5w0rd');\n    print "\\nBad password: $iBadPassword\\n";\n\n    $iBadHost = activeDirectoryLDAPAuthentication("ldaps:\/\/abc.example.com", "e0012345", 'N0tTh3P@s5w0rd');\n    print "\\nBad host: $iBadHost\\n";\n\n?>\n\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
This is a very brief function that authenticates a user against Active Directory. Because you can authenticate using a fully qualified DN, sAMAccountName, or userPrincipalName … there’s no need to use a system credential or search for the user provided you’ve got a single domain in your forest (i.e. you know what to prepend to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[68,295,303],"class_list":["post-6418","post","type-post","status-publish","format-standard","hentry","category-coding","tag-active-directory","tag-authentication","tag-ldap"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6418","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6418"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6418\/revisions"}],"predecessor-version":[{"id":6423,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/6418\/revisions\/6423"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}