PHP-LDAP Authentication for Single Sign-On
Implementation of LDAP-Authentication using php and OpenLDAP library which can be used for authentication of Active directory users in php forms. OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.
To install ldap extension on Debian
sudo apt-get install php-ldap
and on Centos
sudo yum install php-ldap
Modify php.ini to add
extension=ldap.so
and restart the httpd service
Refer http://php.net/manual/en/book.ldap.php for more details about installation and configuration.
ldap_authenticate.php file contains ldap_authenticate() function
<?php
function ldap_authenticate($username, $userpassword) {
if(empty($usernamename) || empty($userpassword)) return false;
$ldap_host = "10.10.10.10";
$ldap_dn = "OU=Users,DC=localdomain,DC=local";
$ldap_group = "Site Admins";
$ldap_usr_dom = '@localdomain.local';
$ldap = ldap_connect($ldap_host);
ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
// validate username and password
if($bind = @ldap_bind($ldap, $username.$ldap_usr_dom, $userpassword)) {
$filter = "(sAMAccountName=".$username.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("LDAP lookup failed");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
// check group permission
foreach($entries[0]['memberof'] as $grps) {
if(strpos($grps, $ldap_group)) { $access = 1; break; }
}
if($access != 0) {
// session variables
$_SESSION['user'] = $username;
$_SESSION['access'] = $access;
return true;
} else {
// no access permission
return false;
}
} else { return false; }
}
?>
Login.php ( with CSS for styling the login form)
<?php
session_start();
include("ldap_authenticate.php");
// If user logging out
if(isset($_GET['out'])) {
session_unset();
$_SESSION = array();
unset($_SESSION['user'],$_SESSION['access']);
session_destroy();
}
// If login form is submitted
if(isset($_POST['userLogin'])){
if(ldap_authenticate($_POST['userLogin'],$_POST['userPassword']))
{
// if authentication succeded navigate to destination.php
header("Location: destination.php");
die();
} else {
// authentication failed
$error = 1;
}
}
if(isset($error)) echo "Login failed: Incorrect userame, password, or permissions<br />";
if(isset($_GET['out'])) echo "Logout successful";
?>
<link href='https://fonts.googleapis.com/css?family=Open+Sans:700,600' rel='stylesheet' type='text/css'>
<form method="post" action="login.php">
<div class="box">
<style>
body{
font-family: 'Open Sans', sans-serif;
background:#f9f9f9;
margin: 0 auto 0 auto;
width:100%;
text-align:center;
margin: 20px 0px 20px 0px;
}
p{
font-size:12px;
text-decoration: none;
color:#ffffff;
}
h1{
font-size:1.5em;
color:#525252;
}
.box{
background:white;
width:300px;
border-radius:6px;
margin: 0 auto 0 auto;
border: #2980b9 4px solid;
}
.username{
background:#ecf0f1;
border: #ccc 1px solid;
border-bottom: #ccc 2px solid;
padding: 8px;
width:250px;
color:#AAAAAA;
margin-top:10px;
font-size:1em;
border-radius:4px;
}
.btn{
background:#2ecc71;
width:125px;
padding-top:5px;
padding-bottom:5px;
color:white;
border-radius:4px;
border: #27ae60 1px solid;
margin-top:20px;
margin-bottom:20px;
float:center;
margin-left:16px;
font-weight:800;
font-size:0.8em;
}
.btn:hover{
background:#2CC06B;
}
</style>
<h1>AD-Login</h1>
<input type="text" name="userLogin" class="username" autofocus />
<input type="password" name="userPassword" class="username" />
<input type="submit" name="submit" value="Submit" class="btn" />
</div> <!-- End Box -->
</form>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js" type="text/javascript"></script>
