LDAP Authentication RPI Tutorial (Part 3)

Now that we have gone over how to setup LDAP, and went into some more depth about how to search using it, we will now look at actually writing a web page in PHP that uses LDAP. As always, I will be using RPI as my example but this should work for anyone with an LDAP system. (Note to people at RPI, you need to VPN in unless you are in the VCC for this to work, I have had luck with doing this in Lally, but in the Union it failed) The first example will go over how to just use LDAP to return information; the second one will incorporate the CAS example that was done before, and search for the user that logs in, this will be put out in a few days. The LDAP servers I am using do not require authentication, if the one you are using does then you will need to go to http://www.php.net/manual/en/function.ldap-bind.php and look at using authentication on your bind command.

  1. Within a new PHP document, enter the following line with ‘ldap.rpi.edu’ replaced with your LDAP server. The variable can be named anything as long as you remember it is for the connection.
    • “$LDAPCON = ldap_connect(‘ldap.rpi.edu’);”
  2. Now we have to bind to the server, this is when credentials are given (if needed) and we fully connect. If the server is unreachable, or you are not permitted to connect this is where PHP will throw an error. As you can see, we create a new variable for the binding, and feed in our connection variable.
    • “$LDAPBIND = ldap_bind($LDAPCON);”
  3. We have seen before that LDAP can return vast amounts of information on a single item, and since many servers have a limit on how much they will return it is good practice to filter for just what we want back. Here I will be requesting the “givenname” and “sn” for each user. These items must be put into an array like shown.
    • “$filterArray = array(‘givenname’,’sn’);”
  4. The core of the search is the search command. Here we give all the different compounds we have made and put them together. First, we enter the connection to use; second, we enter the base for the search (described in part 1&2). Following that we enter a filter for how we want to search the directory, this is not the filter we setup one step ago but a filter to tell the central LDAP what we are looking for. I am searching for anyone with a UID that starts with ‘berkod’. Then we enter the filter we setup earlier for the types of data we want returned. The last two settings are setup per instance; start with a 0 or 1 for attributes only filter, 0 means return the full data, 1 means that you just want the type returned if data exists (this is for more of a fast exploratory search). To end the command you enter the number of results that should be returned; 0 is no limit, yet I am hoping to search usernames and get 1 result. I entered 10 just so if more than 1 user exists under my filter I will know.
    • $LDAPSEARCH = ldap_search($LDAPCON, “dc=rpi, dc=edu”, “(uid=berkod*)”, $filterArray, 0 , 10);
  5. The results from the search have to be stored in a separate variable
    • $LDAPRESULTS = ldap_get_entries($LDAPCON, $LDAPSEARCH);
  6. Now for a quick and dirty view of the result you can simply print out the data
    • “print_r($LDAPRESULTS);”
  7. But that just lets you quickly see if you are getting data back, to properly put the data into an array use the following code. This will get the two pieces we requested for each user (“givenname” and “sn”) and store them in an array; then put that array into another array. The final format is $variable[$user][0 for ‘givenname’/ 1 for ‘sn’]. This data can be used by other code or printed out.
    • $ResultArray = Array();
      for ($i = 0; $i < $LDAPRESULTS[“count”]; $i++)
                  $tempRow = Array();
                  array_push($tempRow, $LDAPRESULTS[$i][“givenname”][0]); // 0 is used because my database just has one item per user
                  array_push($tempRow, $LDAPRESULTS[$i][“sn”][0]);
                  array_push($ResultArray, $tempRow);
  8. Then for good practice close the LDAP connection
    • “ldap_close($LDAPCON);”

The next post will go over combining CAS and LDAP. Until then thanks for commenting and feel free to ask questions.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s