PHP-LDAP Authentication for Single Sign-On

Implementation of LDAP-Authentication using php and OpenLDAP library which can be used for authentication of Active directory users in php forms. OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol.

To install ldap extension on Debian

sudo apt-get install php-ldap

and on Centos

sudo yum install php-ldap

Modify php.ini to add

extension=ldap.so

and restart the httpd service

Refer http://php.net/manual/en/book.ldap.php for more details about installation and configuration.

ldap_authenticate.php file contains ldap_authenticate() function

<?php
function ldap_authenticate($username, $userpassword) {
        if(empty($usernamename) || empty($userpassword)) return false;
        $ldap_host = "10.10.10.10";
        $ldap_dn = "OU=Users,DC=localdomain,DC=local";
        $ldap_group = "Site Admins";
        $ldap_usr_dom = '@localdomain.local';
        $ldap = ldap_connect($ldap_host);
        ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
        ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
        // validate username and password
        if($bind = @ldap_bind($ldap, $username.$ldap_usr_dom, $userpassword)) {
                $filter = "(sAMAccountName=".$username.")";
                $attr = array("memberof");
                $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("LDAP lookup failed");
                $entries = ldap_get_entries($ldap, $result);
                ldap_unbind($ldap);
                // check group permission
                foreach($entries[0]['memberof'] as $grps) {
                        if(strpos($grps, $ldap_group)) { $access = 1; break; }
               }

                if($access != 0) {
                        // session variables
                        $_SESSION['user'] = $username;
                        $_SESSION['access'] = $access;
                        return true;
                } else {
                        // no access permission
                        return false;
                }

        } else {                return false;        }
}
?>

Login.php ( with CSS for styling the login form)

<?php
session_start();
include("ldap_authenticate.php");
// If user logging out
if(isset($_GET['out'])) {
        session_unset();
        $_SESSION = array();
        unset($_SESSION['user'],$_SESSION['access']);
        session_destroy();
}
// If login form is  submitted
if(isset($_POST['userLogin'])){
        if(ldap_authenticate($_POST['userLogin'],$_POST['userPassword']))
        {
                // if authentication succeded navigate to destination.php
                header("Location: destination.php");
                die();
        } else {
                // authentication failed
                $error = 1;
        }
}
if(isset($error)) echo "Login failed: Incorrect userame, password, or permissions<br />";
if(isset($_GET['out'])) echo "Logout successful";
?>

<link href='https://fonts.googleapis.com/css?family=Open+Sans:700,600' rel='stylesheet' type='text/css'>
<form method="post" action="login.php">
<div class="box">
  <style>
  body{
  font-family: 'Open Sans', sans-serif;
  background:#f9f9f9;
  margin: 0 auto 0 auto;
  width:100%;
  text-align:center;
  margin: 20px 0px 20px 0px;
}
p{
  font-size:12px;
  text-decoration: none;
  color:#ffffff;
}
h1{
  font-size:1.5em;
  color:#525252;
}
.box{
  background:white;
  width:300px;
  border-radius:6px;
  margin: 0 auto 0 auto;
  border: #2980b9 4px solid;
}
.username{
  background:#ecf0f1;
  border: #ccc 1px solid;
  border-bottom: #ccc 2px solid;
  padding: 8px;
  width:250px;
  color:#AAAAAA;
  margin-top:10px;
  font-size:1em;
  border-radius:4px;
}
.btn{
  background:#2ecc71;
  width:125px;
  padding-top:5px;
  padding-bottom:5px;
  color:white;
  border-radius:4px;
  border: #27ae60 1px solid;
  margin-top:20px;
  margin-bottom:20px;
  float:center;
  margin-left:16px;
  font-weight:800;
  font-size:0.8em;
}

.btn:hover{
  background:#2CC06B;
}

</style>
<h1>AD-Login</h1>
<input type="text" name="userLogin"   class="username" autofocus />
<input type="password" name="userPassword"   class="username" />
<input type="submit" name="submit" value="Submit" class="btn" />
</div> <!-- End Box -->
</form>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.0/jquery.min.js" type="text/javascript"></script>