Can I retrieve addtional LDAP objects during authentication with Apache?

Question

I am using .htaccess and Apache v2.4 with mod_authnz_ldap to force LDAP authentication to our local Domain Controller. The following block works just fine and the access log also includes the userID.

# LDAP stuff
AuthType Basic
AuthName "Validate with User ID"
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldapServer.com:389 DC=global,DC=myCoName,DC=com?sAMAccountName"
AuthLDAPBindDN "myDomain\\ServiceAccountName"
AuthLDAPBIndPassword "ServiceAccountPassword"
require valid-user

Using the phpinfo.php script, the Apache Environmental Variable AUTHENTICATE_SAMACCOUNTNAME is set to the userID.

What I need is to also retrieve additional user data such as full name, phone number, etc. or if is easier, return the complete record for the userID without using PHP or some other back-end.

Answer 1

As it turns out, the answer is given in the Apache docs. For authentication purposes, only the first attribute listed is used for authentication. Any additional (Comma separated) attributes are fetched during the authentication process.

Modifying the LDAPAuthURL to:

AuthLDAPURL "ldap://ldapServer.com:389 DC=global,DC=myCoName,DC=com?sAMAccountName,displayName,givenName,sn"

authenticates on sAMAccountName but also returns the dispalyName, givenName, and the surname sn. These values are then found in the Apache envrionment prefixed by AUTHENTICATE_. PHP variables are prefixed with _SERVER["AUTHENTICATE_*

As an example, this is what is returned when I login:

AUTHENTICATE_SAMACCOUNTNAME al2
AUTHENTICATE_DISPLAYNAME    Lindberg, Alex (Alex)
AUTHENTICATE_GIVENNAME      Alex
AUTHENTICATE_SN             Lindberg

and

_SERVER["AUTHENTICATE_SAMACCOUNTNAME"] al2 
_SERVER["AUTHENTICATE_DISPLAYNAME"]    Lindberg, Alex (Alex) 
_SERVER["AUTHENTICATE_GIVENNAME"]      Alex 
_SERVER["AUTHENTICATE_SN"]             Lindberg 

A listing of attributes can be found here: https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx