LDAP authentication through PHP can be quite handy. With methods such as this, authentication can be done against an LDAP user database. This is convenient if you are writing software that you would like to interface against an established user platform. I ran into this writing software for Northern Illinois University that had an established staff and student user database with set password management and user information through Novell.

One of the requirements was the connection had to be through a secure tunnel. So using Apache, PHP, php-ldap module, OpenLDAP and OpenSSL on Fedora Core 5 I was able to do this.

The system started with the Apache, PHP and the php-ldap module installed. A custom configure of OpenLDAP had to be done. I downloaded the newest version from the site and configured and installed it with –with-tls –enable-slapd. After installing OpenLDAP, I had to add the line TLS_REQCERT never to the end of /etc/openldap/ldap.conf. This option may be needed if you are having certificate troubles.

The following are the two functions i used in PHP to actually do the authentication.

function ia_ldap_search($ds, $user) {
$sr=ldap_search($ds, “o=NIU”, “cn=$user”);
$info = ldap_get_entries($ds, $sr);

return $info[0];
}

function ldap_auth($user, $pass, $search=false) {
$ds=ldap_connect(_IA_STREAM);

if($search) {
$info=ia_ldap_search($ds, $user);
$user=$info['dn'];
} else $info=$user;

$r=@ldap_bind($ds, $user, $pass);
ldap_close($ds);

return $r ? $info : 0;
}

_IA_STREAM is a define I provided previously that is the URI of the LDAPS server (ldaps://host:636). These two functions should provide you with the basics from LDAP authentication over SSL. The ldap_auth function takes the username and password and returns the user info if validated, or 0 for failed. Username search can be done by providing the username and settings $search to true when calling the function.