CODEWITHSUNDEEP
phpldapwindows-authentication
Elad
Elad

Reputation: 123

Is it possible to bind LDAP with current logged on user with PHP?

I have an IIS application (AngularJS and PHP), authentication is done with Windows Authentication (Anonymous Authentication is disabled). I would like to have a button that whenever clicked, will lookup active directory users. It works successfully with the code below:

$ldap_server = "ldap://MyDomain.local";
$auth_user = "MyUser@MyDomain";
$auth_pass = "myPass";
$base_dn = "OU=MyDomain, DC=MyDomain, DC=local";
$filter = "(&(objectClass=user)(objectCategory=person)(cn=*))";

if (!($connect=@ldap_connect($ldap_server))) {
    die("Could not connect to ldap server");
}

if (!($bind=@ldap_bind($connect, $auth_user, $auth_pass))) {
     die("Unable to bind to server: ". ldap_error($connect) . " (" . ldap_errno($connect) . ")");
}

if (!($search=@ldap_search($connect, $base_dn, $filter))) {
     die("Unable to search ldap server: ". ldap_error($connect) . " (" . ldap_errno($connect) . ")");
}

However, the user has already supplied credentials when logging in (through IIS Windows Authentication) and I would like to use the same user credentials (or actually impersonating the user). Can I do so without asking for username and password?

I was trying to get server's variables ({$_SERVER['AUTH_USER']} and {$_SERVER['AUTH_PASSWORD']}). Only the user is populated (makes sense...).

I also tried skipping ldap_bind(), calling it only with the $connect parameter but I always get the same error: Unable to search ldap server: Operations error (1)

Of course I can store a dedicated user+pass in PHP, but would like to avoid that and use the logged in user authentication.

Thanks!

Upvotes: 2

Views: 2303

Answers (1)

CyberJam
CyberJam

Reputation: 11

You can achieve LDAP and other types of communication on the server-side by using the following PHP + Powershell solution. The code sample below lets me show or hide the web page content based on LOGON_USER (ng-if is AngularJS directive, which I use to show/hide the contents of ):

PHP:

<span ng-if="<?php $ADUserName = $_SERVER['LOGON_USER'];$output = shell_exec('powershell -file chkgrp.ps1 -ADUserName "'.$ADUserName.'"');echo $output; ?>">YOUR HTML CODE</span>

chkgrp.ps1:

Param([string]$ADUserName); Import-Module ActiveDirectory; $User=$ADUserName.split("\")[1]; $Group="YOUR GROUP"; $Members = Get-ADGroupMember -Identity $Group -Recursive | Select -ExpandProperty SamAccountName; If ($Members -contains $User) {write-output "true"} Else {write-output "false"}

-CJ

Upvotes: 1

Related Questions