LDAP Authentication using Php

LDAP (Lightweight Directory Access Protocol) is an open and vendor-neutral application protocol for accessing and maintaining directory information services using IP network based on server – client model.[1] LDAP server can contain a huge organization’s hierarchical directory tree. For example; you may want to send an email to IT support department that you have never emailed before on a big company. An email client program such as Microsoft Outlook can find the IT support staff by using company’s LDAP server. Authentication using LDAP protocol instead of database authentication could be done. In this post, I will show the ldap authentication using php script.

LDAP Authentication Using Php Script

Let’s assume application we are using, has an Oracle database to store user and application data but authentication is done with LDAP server. We have to use the following code to authenticate user


Note that for oracle and ldap connection, you should turn on apache modules on configuration file.

<?php

    ob_start();
	session_start();
	
	$login_id = '';
	$password = '';
	
	if (isset($_POST['loginid']) && !empty($_POST['loginid'])) 
	{
		$login_id = trim($_POST['loginid']);
	}
	else
	{
		$_SESSION['ERROR_MESSAGE'] = 'Login Name Field Is Required';
		
		$url = '../../index.php';
 		header('Location: '.$url);
 		exit();
	}
	
	if (isset($_POST['password']) && !empty($_POST['password'])) 
	{
		$password = trim($_POST['password']);
	}
	else
	{
		$_SESSION['ERROR_MESSAGE'] = 'Password Field Is Required';
		
		$url = '../../index.php';
 		header('Location: '.$url);
 		exit();
	}
	
	$db_user = getenv("DB_USER");
	$db_pass = getenv("DB_PASS");
	$db_name = getenv("DB_NAME");
	$db_charset = getenv("DB_CHARSET");
	
	$db = oci_connect($db_user, $db_pass, $db_name, $db_charset, OCI_DEFAULT);
	if (!$db) 
	{
		$_SESSION['ERROR_MESSAGE'] = oci_error()['message'];
		
		$url = '../../index.php';
 		header('Location: '.$url);
 		exit();
	}
	
	$query = "SELECT LOGINID, DISTINGUISHEDNAME FROM USER WHERE LOGINID = :loginid AND STATUS = 'ACTIVE'";
	
	$stid = oci_parse($db, $query);

	oci_bind_by_name($stid, ':loginid', $login_id);
	oci_execute($stid);
	
	$row = oci_fetch_array($stid, OCI_ASSOC+OCI_RETURN_NULLS);
	
	if ( oci_num_rows($stid) == 1 )
	{
		$host = getenv("LDAP_HOST");
		$ldaptree = getenv("LDAP_TREE"); // ex: DC=company,DC=domain
		$ldapdn = '';
		
		$ldapdn = $row['DISTINGUISHEDNAME'];
		
		$ldapconn = ldap_connect($host);
		$ds = $ldapconn;
 
		ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
		ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
		ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 100);

		if ($ldapconn) 
		{	
			// If user can bind with his password, LDAP authentication is succeed.
			$ldapbind = ldap_bind($ldapconn, $ldapdn, $password);
	
			if($ldapbind)
			{
				$_SESSION['USERID'] = $row['LOGINID'];
		
				oci_free_statement($stid);
				oci_close($db);
				
				ldap_close($ldapconn);
	
				$url = '../start_center.php';
				header('Location: '.$url);
				exit();
			}
			// LDAP Authentication failed
			else
			{
				$_SESSION['ERROR_MESSAGE'] = 'Access Denied!';
		
				oci_free_statement($stid);
				oci_close($db);
		
				$url = '../../index.php';
				header('Location: '.$url);
				exit();
			}
		} 
		else
		{
			$_SESSION['ERROR_MESSAGE'] = 'Access Denied!';
		
			oci_free_statement($stid);
			oci_close($db);
		
			$url = '../../index.php';
			header('Location: '.$url);
			exit();
		}	
	}
	else
	{
		$_SESSION['ERROR_MESSAGE'] = 'Access Denied!';
		
		oci_free_statement($stid);
		oci_close($db);
		
		$url = '../../index.php';
 		header('Location: '.$url);
 		exit();
	}
?>

 References:

1. “Lightweight Directory Access Protocol”, wikipedia.com, Retrived on 21.05.2015 from http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol