Using PHP and LDAP to authenticate under Windows and UNIX

My current boss has asked me to provide a standard authentication method for Web services within the enterprise. One of the main problems I encountered was that our company used two main platforms: Unix and. So my first thought was not very successful: it required every employee to give up using UNIX or Linux.

I think the best way to solve the current unix/windows problem is to take advantage of PHP's LDAP features. Because of LDAP, I was asked to use an existing system, mainly referring to a huge Microsoft Exchange server system. I am very happy with Exchange, it is reliable, and the use and configuration of LDAP features is extremely straightforward. However, please note that this package is not the most in terms of authentication. If there is a higher level of demand, I strongly recommend that you use LDAP and SSL.

Where to start learning
To get you started, I've given a list of PHP LDAP functions and gave a brief description of the function's function. I will then demonstrate how to establish a connection to the LDAP and authenticate the user. For the sake of simplicity of the code, I will demonstrate the functionality of the PHP connection and how to bind to the LDAP server.

A pair: PHP and LADP
Here is a list of the functions I will use in the example. Relevant information on the Internet.

The ldap_connect-is used to connect to the LDAP service.
Ldap_bind-is used to bind to a specific LDAP directory.
ldap_error-obtains error information from the LDAP server.
ldap_search-is used to start the search.
Ldap_get_entries-gets multiple results from the search results.
ldap_close-close the LDAP connection.

Now I show in the example how to use the first function (listing a) and describe the function appropriately.

<?php
LDAP variables
$ldap [' user '] = ' uname ';
$LDAP [' pass '] = ' password ';
$LDAP [' host '] = ' ldap.example.com ';
$ldap [' port '] = 389;
$ldap [' dn '] = ' cn '. $ldap [' user ']. ', Ou=department,o=company Name ';
$ldap [' base '] = ';

Connecting to LDAP
$LDAP [' conn '] = Ldap_connect ($ldap [' Host '], $ldap [' Port '])
Or Die ("Could does connect to {$LDAP [' Host ']}");
?>
A connection to the LDAP server (also known as a resource, resource) will be returned. The Ldap_connect function has two parameters: Host and port. First parameter: The host is the LDAP host name, and the second parameter is the port that the LDAP is running on. By default, LDAP uses a port number of 389. If you need a secure connection to the LDAP server, you can change the parameter host to a URL for the LDAP server that you can access, as follows:

$LDAP [' conn '] = Ldap_connect ("ldaps://ldap.example.com");

Since you specified the URL instead of the server name, in this way you do not need to use the port parameter. One thing to keep in mind is that the exact name needs to correspond to the encrypted Sockets Layer certificate (the SSL certificate).

<?php
LDAP variables
$ldap [' user '] = ' uname ';
$LDAP [' pass '] = ' password ';
$LDAP [' host '] = ' ldap.example.com ';
$ldap [' port '] = 389;
$ldap [' dn '] = ' cn '. $ldap [' user ']. ', Ou=department,o=company Name ';
$ldap [' base '] = ';

Connecting to LDAP
$LDAP [' conn '] = Ldap_connect ($ldap [' Host '], $ldap [' Port '])
Or Die ("Could does connect to {$LDAP [' Host ']}");

Binding to LDAP
$ldap [' bind '] = ldap_bind ($LDAP [' Conn '], $ldap [' DN '], $ldap [' Pass ']);

?>
Demonstrates how to bind to a server with a user name and password. I created a suitable domain name (domain name, DN) and used the user's password to legitimately connect to LDAP. We can use the domain name and password to let the LDAP server through the authentication and allow the binding connection, so that we successfully bound. The return value of Ldap_bind is a Boolean type. We can determine whether a user's login certificate is valid based on the return value. When the process is over, you can know if the user's identity is certified.

What happens if an error occurs? Calling the Ldap_error function is a good way to judge what went wrong. The Ldap_error function returns a string that contains information about the last error that occurred with the LDAP server.

In

<?php
LDAP variables
$ldap [' user '] = ' uname ';
$LDAP [' pass '] = ' password ';
$LDAP [' host '] = ' ldap.example.com ';
$ldap [' port '] = 389;
$ldap [' dn '] = ' cn '. $ldap [' user ']. ', Ou=department,o=company Name ';
$ldap [' base '] = ';

Connecting to LDAP
$LDAP [' conn '] = Ldap_connect ($ldap [' Host '], $ldap [' Port '])
Or Die ("Could does connect to server {$ldap [' Host ']});

Binding to LDAP
$ldap [' bind '] = ldap_bind ($LDAP [' Conn '], $ldap [' DN '], $ldap [' Pass ']);

if (! $ldap [' bind '])
{
Echo ldap_error ($LDAP [' Conn ']);
Exit
}

?>

, I added the Ldap_error function to the script, and if the user who is bound to the LDAP server is not acknowledged, the code exits the run. The function returns a string that contains the error message generated by the last instruction sent to the LDAP server. If you do not successfully log in by a given user name and password, the error message will contain the invalid username and password.

In our last example,
<?php
LDAP variables
$ldap [' user '] = ' uname ';
$LDAP [' pass '] = ' password ';
$LDAP [' host '] = ' ldap.example.com ';
$ldap [' port '] = 389;
$ldap [' dn '] = ' cn '. $ldap [' user ']. ', Ou=department,o=company Name ';
$ldap [' base '] = ';

Connecting to LDAP
$LDAP [' conn '] = Ldap_connect ($ldap [' Host '], $ldap [' Port '])
Or Die ("Could does connect to server {$ldap [' Host ']});

Binding to LDAP
$ldap [' bind '] = ldap_bind ($LDAP [' Conn '], $ldap [' DN '], $ldap [' Pass ']);

if (! $ldap [' bind '])
{
Echo ldap_error ($LDAP [' Conn ']);
Exit
}

Search for the user on the LDAP server and return all
The user information
$LDAP [' result '] = Ldap_search ($LDAP [' Conn '], $ldap [' base '], ' uid= '. $ldap [' user '];

if ($ldap [' result '])
{
Retrieve all the entries from the search result
$ldap [' info '] = ldap_get_entries ($LDAP [' Conn '], $ldap [' result ']);
}
Else
{
Echo ldap_error ($LDAP [' Conn ']);
Exit

}

if ($ldap [' info '])
{
Add The user ' s department name and email address
to the session
$_session[' userdept ' = $ldap [' Info '][0][' department '][0];
$_session[' usermail ' = $ldap [' info '][0][' mail '][0];
}
Else
{
Echo ldap_error ($LDAP [' Conn ']);
Exit
}

Close connection to LDAP server
$ldap _close ($LDAP [' Conn ']);

?>

I also used the last three functions listed in the above function list: Ldap_search, Ldap_get_entries, and Ldap_close.

After calling the Ldap_bind function in code listing d, I searched the server for the information I needed by calling the Ldap_search function. The Ldap_search function has multiple parameters, but we only use the first three parameters here. I passed the LDAP connection, search base, and filter parameters to the searching function so that the function would search the server under the correct user name and supported search scopes and filtering conditions. In short, I'm the user who specifies the UID to indicate the user name description of the search. The LDAP server then filters the search results, returning only the user's own LDAP information.

Learning process
When I first started using PHP's LDAP extensions, I was puzzled by the Ldap_search function returning only resources instead of an array or string. When I learned to use the Ldap_get_entries function to get the actual results of the search, I realized it. One advantage of the ldap_get_entries function is that it returns the search results as a multidimensional array. That is, I put the search results in an array called $ldap[' info ', which seems confusing.

Because of the results of my search in a multidimensional array, I can manipulate the data arbitrarily. I saved the user's department and e-mail address to the session variable so that I could use it later in the session.

When these things are done, I use the Ldap_close function to close the connection. The close function frees the connection resource. The function also has an alias Ldap_unbind, which is actually the same function.

A very good starting point
Although I have a lot of contact with other functions in the LDAP extension, the functions I listed are sufficient for your beginner LDAP identity authentication. The combination of PHP and LDAP provides a common way for web-based applications to authenticate users. The LDAP server allows an administrator to authorize access to the user, and it can also allow or deny access to the data by the application.

Transferred from: http://www.zxbc.cn/html/20080712/61985.html

Using PHP and LDAP to authenticate under Windows and UNIX