Auth_Container_LDAP
LDAP Container
This storage container makes use of the ldap extension to load user data from an LDAP server.
The storage-specific argument for the Auth constructor() is an array of options.
Option | Data Type | Default value | Description |
---|---|---|---|
"host" | string | "localhost" | The host name or IP-adress to access |
"port" | integer | 389 | The port of the LDAP server to access |
"url" | string | " | A fully qualified URL for specifying the protocol, url and port to connect to. It is useful for specifying ldaps://. Takes precedence over "host" and "port" options. Only works if PHP has been compiled against OpenLDAP 2+ libraries. |
"version" | integer | 2 | LDAP version to use, usually 2 (default) or 3, must be an integer! |
"referrals" | boolean | TRUE | If set, determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. |
"binddn" | string | " | If set, searching for user will be done after binding as this user, if not set the bind will be anonymous. This is reported to make the container work with MS Active Directory, but should work with any server that is configured this way. This has to be a complete dn for now (basedn and userdn will not be appended). |
"bindpw" | string | " | The password to use for binding with binddn. |
"basedn" | string | " | The base DN of your server. |
"userdn" | string | " | Gets prepended to basedn when searching for users. |
"userscope" | string | "sub" | Scope for user searching: one, sub (default), or base. |
"userattr" | string | "uid" | Defines the attribute to search for. |
"userfilter" | string | "(objectClass=posixAccount)" | Filter that will be added to the search filter this way: (&(userattr=username)(userfilter)). |
"attributes" | array | array('') | Array of additional attributes to fetch from entry. These will added to auth data and can be retrieved via Auth::getAuthData() . An empty array will fetch all attributes, array('') will fetch no attributes at all (default). If you add 'dn' as a value to this array, the user's DN that was used for binding will be added to auth data as well. |
"attrformat" | string | "AUTH" |
The returned format of the additional data defined in the 'attributes' option. Two formats are available. LDAP returns data formatted in a multidimensional array where each array starts with a 'count' element providing the number of attributes in the entry, or the number of values for attributes. When set to this format, the only way to retrieve data from the Auth object is by calling getAuthData('attributes'). This was the default format before version 1.3.0. AUTH returns data formatted in a structure more compliant with other Auth Containers, where each attribute element can be directly called by getAuthData() method from Auth. This became the default as of 1.3.0. |
"groupdn" | string | " | Gets prepended to basedn when searching for group. |
"groupattr" | string | "cn" | The group attribute to search for. |
"groupfilter" | string | "(objectClass=groupOfUniqueNames)" | Filter that will be added to the search filter when searching for a group: (&(groupattr=group)(memberattr=username)(groupfilter)). |
"memberattr" | string | "uniqueMember" | The attribute of the group object where the user dn may be found. |
"memberisdn" | boolean | TRUE | Whether the memberattr is the dn of the user (default) or the value of userattr (usually uid). |
"group" | string | " | The name of the group users have to be a member of to authenticate successfully. |
"groupscope" | string | "sub" | Scope for group searching: one, sub (default), or base. |
"start_tls" | boolean | "false" | Enable/disable the use of START_TLS encrypted connection. |
"try_all" | boolean | FALSE | If multiple entries are returned by the search attempt to authenticate against each entry in order or just the first one (default). |
"debug" | boolean | FALSE | Enable debug output. |
Authenticating against a LDAP server
<?php
$a1 = new Auth("LDAP", array(
'host' => 'localhost',
'port' => '389',
'version' => 3,
'basedn' => 'o=netsols,c=de',
'userattr' => 'uid',
'binddn' => 'cn=admin,o=netsols,c=de',
'bindpw' => 'password'
));
?>
Requiring users to be within specific groups
<?php
$a2 = new Auth('LDAP', array(
'url' => 'ldaps://ldap.netsols.de',
'basedn' => 'o=netsols,c=de',
'userscope' => 'one',
'userdn' => 'ou=People',
'groupdn' => 'ou=Groups',
'groupfilter' => '(objectClass=posixGroup)',
'memberattr' => 'memberUid',
'memberisdn' => false,
'group' => 'admin'
));
?>
Authenticating against a Microsoft Active Directory server
<?php
$a3 = new Auth('LDAP', array(
'host' => 'ldap.netsols.de',
'port' => 389,
'version' => 3,
'referrals' => false,
'basedn' => 'dc=netsols,dc=de',
'binddn' => 'cn=Jan Wagner,cn=Users,dc=netsols,dc=de',
'bindpw' => 'password',
'userattr' => 'samAccountName',
'userfilter' => '(objectClass=user)',
'attributes' => array(''),
'group' => 'testing',
'groupattr' => 'samAccountName',
'groupfilter' => '(objectClass=group)',
'memberattr' => 'member',
'memberisdn' => true,
'groupdn' => 'cn=Users',
'groupscope' => 'one',
));
?>
When talking to a Microsoft ActiveDirectory server you have to use 'samaccountname' as the 'userattr' and follow special rules to translate the ActiveDirectory directory names into 'basedn'. The 'basedn' for the default 'Users' folder on an ActiveDirectory server for the ActiveDirectory Domain (which is not related to its DNS name) "win2000.example.org" would be: "CN=Users, DC=win2000, DC=example, DC=org" where every component of the domain name becomes a DC attribute of its own. If you want to use a custom users folder you have to replace "CN=Users" with a sequence of "OU" attributes that specify the path to your custom folder in reverse order. So the ActiveDirectory folder "win2000.example.org\Custom\Accounts" would become "OU=Accounts, OU=Custom, DC=win2000, DC=example, DC=org"
It seems that binding anonymously to an Active Directory is not allowed, so you have to set binddn and bindpw for user searching.
LDAP Referrals need to be set to false for AD to work sometimes.
Note also that if you want an encrypted connection to an MS LDAP server, then, on your webserver, you must specify "TLS_REQCERT never" in /etc/ldap/ldap.conf or in the webserver user's ~/.ldaprc (which may or may not be read depending on your configuration).