Auth_Container_LDAP – Authenticate against an LDAP server

LDAP Container

This storage container makes use of the ldap extension to load user data from an LDAP server.

The storage-specific argument for the Auth constructor() is an array of options.

Available Options
Option Data Type Default value Description
"host" string "localhost" The host name or IP-adress to access
"port" integer 389 The port of the LDAP server to access
"url" string " A fully qualified URL for specifying the protocol, url and port to connect to. It is useful for specifying ldaps://. Takes precedence over "host" and "port" options. Only works if PHP has been compiled against OpenLDAP 2+ libraries.
"version" integer 2 LDAP version to use, usually 2 (default) or 3, must be an integer!
"referrals" boolean TRUE If set, determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
"binddn" string " If set, searching for user will be done after binding as this user, if not set the bind will be anonymous. This is reported to make the container work with MS Active Directory, but should work with any server that is configured this way. This has to be a complete dn for now (basedn and userdn will not be appended).
"bindpw" string " The password to use for binding with binddn.
"basedn" string " The base DN of your server.
"userdn" string " Gets prepended to basedn when searching for users.
"userscope" string "sub" Scope for user searching: one, sub (default), or base.
"userattr" string "uid" Defines the attribute to search for.
"userfilter" string "(objectClass=posixAccount)" Filter that will be added to the search filter this way: (&(userattr=username)(userfilter)).
"attributes" array array('') Array of additional attributes to fetch from entry. These will added to auth data and can be retrieved via Auth::getAuthData() . An empty array will fetch all attributes, array('') will fetch no attributes at all (default). If you add 'dn' as a value to this array, the user's DN that was used for binding will be added to auth data as well.
"attrformat" string "AUTH"

The returned format of the additional data defined in the 'attributes' option. Two formats are available.

LDAP returns data formatted in a multidimensional array where each array starts with a 'count' element providing the number of attributes in the entry, or the number of values for attributes. When set to this format, the only way to retrieve data from the Auth object is by calling getAuthData('attributes'). This was the default format before version 1.3.0.

AUTH returns data formatted in a structure more compliant with other Auth Containers, where each attribute element can be directly called by getAuthData() method from Auth. This became the default as of 1.3.0.

"groupdn" string " Gets prepended to basedn when searching for group.
"groupattr" string "cn" The group attribute to search for.
"groupfilter" string "(objectClass=groupOfUniqueNames)" Filter that will be added to the search filter when searching for a group: (&(groupattr=group)(memberattr=username)(groupfilter)).
"memberattr" string "uniqueMember" The attribute of the group object where the user dn may be found.
"memberisdn" boolean TRUE Whether the memberattr is the dn of the user (default) or the value of userattr (usually uid).
"group" string " The name of the group users have to be a member of to authenticate successfully.
"groupscope" string "sub" Scope for group searching: one, sub (default), or base.
"start_tls" boolean "false" Enable/disable the use of START_TLS encrypted connection.
"try_all" boolean FALSE If multiple entries are returned by the search attempt to authenticate against each entry in order or just the first one (default).
"debug" boolean FALSE Enable debug output.

Authenticating against a LDAP server

= new Auth("LDAP", array(
'host' => 'localhost',
'port' => '389',
'version' => 3,
'basedn' => 'o=netsols,c=de',
'userattr' => 'uid',
'binddn' => 'cn=admin,o=netsols,c=de',
'bindpw' => 'password'

Requiring users to be within specific groups

= new Auth('LDAP', array(
'url' => 'ldaps://',
'basedn' => 'o=netsols,c=de',
'userscope' => 'one',
'userdn' => 'ou=People',
'groupdn' => 'ou=Groups',
'groupfilter' => '(objectClass=posixGroup)',
'memberattr' => 'memberUid',
'memberisdn' => false,
'group' => 'admin'

Authenticating against a Microsoft Active Directory server

= new Auth('LDAP', array(
'host' => '',
'port' => 389,
'version' => 3,
'referrals' => false,
'basedn' => 'dc=netsols,dc=de',
'binddn' => 'cn=Jan Wagner,cn=Users,dc=netsols,dc=de',
'bindpw' => 'password',
'userattr' => 'samAccountName',
'userfilter' => '(objectClass=user)',
'attributes' => array(''),
'group' => 'testing',
'groupattr' => 'samAccountName',
'groupfilter' => '(objectClass=group)',
'memberattr' => 'member',
'memberisdn' => true,
'groupdn' => 'cn=Users',
'groupscope' => 'one',

When talking to a Microsoft ActiveDirectory server you have to use 'samaccountname' as the 'userattr' and follow special rules to translate the ActiveDirectory directory names into 'basedn'. The 'basedn' for the default 'Users' folder on an ActiveDirectory server for the ActiveDirectory Domain (which is not related to its DNS name) "" would be: "CN=Users, DC=win2000, DC=example, DC=org" where every component of the domain name becomes a DC attribute of its own. If you want to use a custom users folder you have to replace "CN=Users" with a sequence of "OU" attributes that specify the path to your custom folder in reverse order. So the ActiveDirectory folder "\Custom\Accounts" would become "OU=Accounts, OU=Custom, DC=win2000, DC=example, DC=org"

It seems that binding anonymously to an Active Directory is not allowed, so you have to set binddn and bindpw for user searching.

LDAP Referrals need to be set to false for AD to work sometimes.

Note also that if you want an encrypted connection to an MS LDAP server, then, on your webserver, you must specify "TLS_REQCERT never" in /etc/ldap/ldap.conf or in the webserver user's ~/.ldaprc (which may or may not be read depending on your configuration).

Authenticate against a Kerberos 5 server (Previous) Authenticate against a database using MDB (Next)
Last updated: Sat, 16 Feb 2019 — Download Documentation
Do you think that something on this page is wrong? Please file a bug report.
View this page in:
  • English

User Notes:

There are no user contributed notes for this page.