CODEWITHSUNDEEP
phpldapldap-query
user5439343
user5439343

Reputation:

How to perform LDAP bind given email and password in PHP?

I am working on application that uses LDAP for authentication. Currently I can authenticate users using uid and password. I'm testing with the online LDAP test server ( http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/#comment-5882)

This is my code:

<?php
$ldapConn = ldap_connect('ldap.forumsys.com');

ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConn, LDAP_OPT_REFERRALS, 0);

//sample path for authentication
ldap_bind($ldapConn, 'uid=riemann,dc=example,dc=com', 'password');

//example path for searching
$search = ldap_search($ldapConn, "uid=riemann,dc=example,dc=com", "(cn=*)");
$searchData = ldap_get_entries($ldapConn, $search);

print_r($searchData);

The code searches users and authenticates them using uid attribute but now I want to authenticate users given their e-mail address.

Upvotes: 1

Views: 11171

Answers (2)

Zoran Regvart
Zoran Regvart

Reputation: 4690

Typically, your LDAP server would either allow anonymous access for searching, or you would bind (authenticate against) the LDAP server to perform search, and the bind again with the DN of the found user and their password to check the password.

In your code your doing the later without the bind as the with user DN to check his/her password. If the LDAP server does allow anonymous search then the the first ldap_bind can be skipped.

In short and without proper error handling and using the online LDAP test server:

if(ldap_bind($ldapConn, 'cn=read-only-admin,dc=example,dc=com', 'password')) {
    // search the LDAP tree from dc=example,dc=com looking for entries with 
    // specified mail attribute, returning only the dn and limiting the search
    // to 1 result
    $result = ldap_search($ldapConn, 'dc=example,dc=com', "(mail=$mail)", array('dn'), 0, 1)
    $entries = ldap_get_entries($ldapConn, $result);
    if ($entries['count'] != 1) {
        if (ldap_bind($ldapConn, $entries[0]['dn'], $password)) {
            // user with mail $mail is checked with password $password
        }
    }
}
ldap_close($ldapConn);

Do not forget to check the given $mail for proper e-mail syntax, as you can suffer from security problem - LDAP injection.

Upvotes: 3

Rameez Rami
Rameez Rami

Reputation: 5728

At first : credit goes to @Zoran Regvart. the problem was there are only 4 parameters in ldap_search() function,check the $entries['count'] > 0

$ldapConn = ldap_connect('ldap.forumsys.com');
ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConn, LDAP_OPT_REFERRALS, 0);
$password='password';
$mail = '[email protected]';
if(ldap_bind($ldapConn, 'cn=read-only-admin,dc=example,dc=com', 'password')) {

            $arr = array('dn', 1);
            $result = ldap_search($ldapConn, 'dc=example,dc=com', "(mail=$mail)", $arr);
            $entries = ldap_get_entries($ldapConn, $result);
                echo "<br><hr>";
                print_r($entries);
            if ($entries['count'] > 0) {
                if (ldap_bind($ldapConn, $entries[0]['dn'], $password)) {
                    // user with mail $mail is checked with password $password
                    echo 'user auth success';
                }else{
                    echo 'user auth failed';
                }
            }

        }
ldap_close($ldapConn);

Upvotes: 2

Related Questions