[line 203]
Storage driver for fetching login data from LDAP
This class is heavily based on the DB and File containers. By default it connects to localhost:389 and searches for uid=$username with the scope "sub". If no search base is specified, it will try to determine it via the namingContexts attribute. It takes its parameters in a hash, connects to the ldap server, binds anonymously, searches for the user, and tries to bind as the user with the supplied password. When a group was set, it will look for group membership of the authenticated user. If all goes well the authentication was successful.
Parameters:
host: localhost (default), ldap.netsols.de or 127.0.0.1 port: 389 (default) or 636 or whereever your server runs url: ldap://localhost:389/ useful for ldaps://, works only with openldap2 ? it will be preferred over host and port version: LDAP version to use, ususally 2 (default) or 3, must be an integer! referrals: If set, determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. Possible values are true (default) or false. binddn: If set, searching for user will be done after binding as this user, if not set the bind will be anonymous. This is reported to make the container work with MS Active Directory, but should work with any server that is configured this way. This has to be a complete dn for now (basedn and userdn will not be appended). bindpw: The password to use for binding with binddn basedn: the base dn of your server userdn: gets prepended to basedn when searching for user userscope: Scope for user searching: one, sub (default), or base userattr: the user attribute to search for (default: uid) userfilter: filter that will be added to the search filter this way: (&(userattr=username)(userfilter)) default: (objectClass=posixAccount) attributes: array of additional attributes to fetch from entry. these will added to auth data and can be retrieved via Auth::getAuthData(). An empty array will fetch all attributes, array('') will fetch no attributes at all (default) If you add 'dn' as a value to this array, the users DN that was used for binding will be added to auth data as well. attrformat: The returned format of the additional data defined in the 'attributes' option. Two formats are available. LDAP returns data formatted in a multidimensional array where each array starts with a 'count' element providing the number of attributes in the entry, or the number of values for attributes. When set to this format, the only way to retrieve data from the Auth object is by calling getAuthData('attributes'). AUTH returns data formatted in a structure more compliant with other Auth Containers, where each attribute element can be directly called by getAuthData() method from Auth. For compatibily with previous LDAP container versions, the default format is LDAP. groupdn: gets prepended to basedn when searching for group groupattr: the group attribute to search for (default: cn) groupfilter: filter that will be added to the search filter when searching for a group: (&(groupattr=group)(memberattr=username)(groupfilter)) default: (objectClass=groupOfUniqueNames) memberattr : the attribute of the group object where the user dn may be found (default: uniqueMember) memberisdn: whether the memberattr is the dn of the user (default) or the value of userattr (usually uid) group: the name of group to search for groupscope: Scope for group searching: one, sub (default), or base start_tls: enable/disable the use of START_TLS encrypted connection (default: false) debug: Enable/Disable debugging output (default: false) try_all: Whether to try all user accounts returned from the search or just the first one. (default: false)
To use this storage container, you have to use the following syntax:
<?php ...
$a1 = new Auth("LDAP", array( 'host' => 'localhost', 'port' => '389', 'version' => 3, 'basedn' => 'o=netsols,c=de', 'userattr' => 'uid' 'binddn' => 'cn=admin,o=netsols,c=de', 'bindpw' => 'password'));
$a2 = new Auth('LDAP', array( 'url' => 'ldaps://ldap.netsols.de', 'basedn' => 'o=netsols,c=de', 'userscope' => 'one', 'userdn' => 'ou=People', 'groupdn' => 'ou=Groups', 'groupfilter' => '(objectClass=posixGroup)', 'memberattr' => 'memberUid', 'memberisdn' => false, 'group' => 'admin' ));
$a3 = new Auth('LDAP', array( 'host' => 'ldap.netsols.de', 'port' => 389, 'version' => 3, 'referrals' => false, 'basedn' => 'dc=netsols,dc=de', 'binddn' => 'cn=Jan Wagner,cn=Users,dc=netsols,dc=de', 'bindpw' => 'password', 'userattr' => 'samAccountName', 'userfilter' => '(objectClass=user)', 'attributes' => array(''), 'group' => 'testing', 'groupattr' => 'samAccountName', 'groupfilter' => '(objectClass=group)', 'memberattr' => 'member', 'memberisdn' => true, 'groupdn' => 'cn=Users', 'groupscope' => 'one', 'debug' => true);
The parameter values have to correspond to the ones for your LDAP server of course.
When talking to a Microsoft ActiveDirectory server you have to use 'samaccountname' as the 'userattr' and follow special rules to translate the ActiveDirectory directory names into 'basedn'. The 'basedn' for the default 'Users' folder on an ActiveDirectory server for the ActiveDirectory Domain (which is not related to its DNS name) "win2000.example.org" would be: "CN=Users, DC=win2000, DC=example, DC=org' where every component of the domain name becomes a DC attribute of its own. If you want to use a custom users folder you have to replace "CN=Users" with a sequence of "OU" attributes that specify the path to your custom folder in reverse order. So the ActiveDirectory folder "win2000.example.org\Custom\Accounts" would become "OU=Accounts, OU=Custom, DC=win2000, DC=example, DC=org'
It seems that binding anonymously to an Active Directory is not allowed, so you have to set binddn and bindpw for user searching.
LDAP Referrals need to be set to false for AD to work sometimes.
Example a3 shows a full blown and tested example for connection to Windows 2000 Active Directory with group mebership checking
Note also that if you want an encrypted connection to an MS LDAP server, then, on your webserver, you must specify TLS_REQCERT never in /etc/ldap/ldap.conf or in the webserver user's ~/.ldaprc (which may or may not be read depending on your configuration).
