Authenticate against Active Directory using PHP
We will be create a webpage that will authenticate with Microsoft Active Directory.
We will be using error reporting and sessions from PHP. We will also create a
function called authenticate which will draw the default, "unauthorized" screen.
If login information is correct, we will draw the "login success" screen.
The first step is calling two PHP functions, error_reporting and session_start. The function
session_start, will create a PHP session cookie which will host the login information.
Next, we will create a function called authenticate which will create a show default
code for when the login session state is not set or the user information is not correct.
1 error_reporting(1);
2 session_start();
3
4
5 function authenticate()
6 {
7 header( 'WWW-Authenticate: Basic realm="Active Directory Login"' );
8 header( 'HTTP/1.0 401 Unauthorized' );
9 echo 'Sorry, incorrect username and / or password.';
10 echo '<br>< br>< a href="' . $PHP_SELF . '?logout=1">Click here to try again.';
11 exit;
12 }
Next, we will check if the login session state is set or the user information is not correct. If the current user isn't authorized or the login information is not correct, it will clear the session state cookie and call authorize again.
1 if( !isset( $_SERVER['PHP_AUTH_USER'] ) || 2 ( $_GET['logout'] == 1 && isset( $_SESSION['user'] ) && 3 isset( $_SESSION['domain'] ) ) ) 4 5 6 session_unset(); 7 authenticate();
Now that we have those things out of the way, we can get to the real work!
in the else part of the if statement above, we will create session variables,
create LDAP variables, authenticate with Active Directory, and get user info
from active directory.
The first part is setting the session variables and the LDAP server variables. Next, we set a error variable and check if we can connect to either domain controllers ( in this case, there are two )
using $BIND_username and $BIND_password. Then we will get a list of users to compare
with the supplied credentials :
1 $_SESSION["domain"] = $domain = 'MYDOMAIN';
2 $_SESSION["user"] = strtoupper( $_SERVER["PHP_AUTH_USER"] );
3 $_SESSION["password"] = $_SERVER["PHP_AUTH_PW"];
4
5 $LDAPServerAddress1="192.168.1.xxx";
6 $LDAPServerAddress2="192.168.1.xxx";
7 $LDAPServerPort="389";
8 $LDAPServerTimeOut ="60";
9 $LDAPContainer="dc=mydomain,dc=com";
10 $BIND_username = "mydomainauthaccountuser";
11 $BIND_password = "authaccountpass";
12 $filter = "sAMAccountName=".$_SESSION["user"];
13
14 $login_error_code = 0;
15
16 if( ( $ds=ldap_connect( $LDAPServerAddress1 ) ) || ( $ds=ldap_connect( $LDAPServerAddress2 ) ) )
17 {
18 ldap_set_option( $ds, LDAP_OPT_REFERRALS, 0 );
19 ldap_set_option( $ds, LDAP_OPT_PROTOCOL_VERSION, 3 );
20 if( $r=ldap_bind( $ds,$BIND_username,$BIND_password ) )
21 {
22 if ( $sr=ldap_search( $ds, $LDAPContainer, $filter, array( 'distinguishedName' ) ) )
23 {
24 if ( $info = ldap_get_entries( $ds, $sr ) )
25 {
26 $BIND_username = $info[0]['distinguishedname'][0];
27 $BIND_password = $_SERVER["PHP_AUTH_PW"];
28 if ( $r2=ldap_bind( $ds,$BIND_username,$BIND_password ) )
29 {
30 ...
Next, once we get the list of users from the domain controller, we will search for the user credentials supplied, and update the session variables if they exist. Finally, if there were errors, we will call the function authenticate which will show the default "unauthorized" code or if there were no errors, we display the authenticated user screen.
1 if ( $sr2=ldap_search( $ds, $LDAPContainer, $filter, array( "givenName","sn","mail","displayName" ) ) )
2 {
3 if ( $info2 = ldap_get_entries( $ds, $sr2 ) )
4 {
5 $_SESSION["name"] = $info2[0]["givenname"][0]." ".$info2[0]["sn"][0];
6 $_SESSION["email"] = $info2[0]["mail"][0];
7 $_SESSION["displayname"] = $info2[0]["displayname"][0];
8 }
9 ...
10 ...
11 if ( $login_error_code > 0 )
12 {
13 authenticate();
14 }
15 else
16 {
17 echo 'Welcome ' . $_SESSION["displayname"];
18 echo '<br><br><a href="' . $PHP_SELF . '?logout=1">Click here</a>to logout and try again.';
19 }
20 ...