Auth
[ class tree: Auth ] [ index: Auth ] [ all elements ]
Packages:
Auth


Classes:
Auth
Auth_Container
Auth_Container_DB
Auth_Container_File
Auth_Container_LDAP
Auth_Container_MDB
Auth_Container_MDB2
Auth_Container_POP3
Auth_Container_SMBPasswd
Auth_Container_SOAP
Auth_Container_vpopmail
Auth
   Auth_Container_IMAP
   Auth_Container_RADIUS
Files:
Auth.php
Auth.php
Container.php
Controller.php
DB.php
DBLite.php
File.php
Html.php
IMAP.php
LDAP.php
MDB.php
MDB2.php
PEAR.php
POP3.php
RADIUS.php
SMBPasswd.php
SOAP.php
vpopmail.php

Class: Auth_Container_LDAP

Source Location: /Auth-1.3.0r2/Container/LDAP.php

Class Overview

Auth_Container
   |
   --Auth_Container_LDAP

Storage driver for fetching login data from LDAP


Author(s):

Version:

  • $Revision: 1.17 $

Variables

Methods

Inherited Variables

Class: Auth_Container

Auth_Container::$activeUser

Inherited Methods

Class: Auth_Container

Auth_Container::Auth_Container()
Constructor
Auth_Container::addUser()
Add a new user to the storage container
Auth_Container::changePassword()
Change password for user in the storage container
Auth_Container::fetchData()
Fetch data from storage container
Auth_Container::getCryptType()
Returns the crypt current crypt type of the container
Auth_Container::getUser()
Returns a user assoc array
Auth_Container::listUsers()
List all users that are available from the storage container
Auth_Container::removeUser()
Remove user from the storage container
Auth_Container::supportsChallengeResponce()
Returns true if the container supports Challenge Responce
Auth_Container::verifyPassword()
Crypt and verfiy the entered password

Class Details

[line 156]
Storage driver for fetching login data from LDAP

This class is heavily based on the DB and File containers. By default it connects to localhost:389 and searches for uid=$username with the scope "sub". If no search base is specified, it will try to determine it via the namingContexts attribute. It takes its parameters in a hash, connects to the ldap server, binds anonymously, searches for the user, and tries to bind as the user with the supplied password. When a group was set, it will look for group membership of the authenticated user. If all goes well the authentication was successful.

Parameters:

host: localhost (default), ldap.netsols.de or 127.0.0.1 port: 389 (default) or 636 or whereever your server runs url: ldap://localhost:389/ useful for ldaps://, works only with openldap2 ? it will be preferred over host and port version: LDAP version to use, ususally 2 (default) or 3, must be an integer! binddn: If set, searching for user will be done after binding as this user, if not set the bind will be anonymous. This is reported to make the container work with MS Active Directory, but should work with any server that is configured this way. This has to be a complete dn for now (basedn and userdn will not be appended). bindpw: The password to use for binding with binddn basedn: the base dn of your server userdn: gets prepended to basedn when searching for user userscope: Scope for user searching: one, sub (default), or base userattr: the user attribute to search for (default: uid) userfilter: filter that will be added to the search filter this way: (&(userattr=username)(userfilter)) default: (objectClass=posixAccount) attributes: array of additional attributes to fetch from entry. these will added to auth data and can be retrieved via Auth::getAuthData(). An empty array will fetch all attributes, array('') will fetch no attributes at all (default) groupdn: gets prepended to basedn when searching for group groupattr: the group attribute to search for (default: cn) groupfilter: filter that will be added to the search filter when searching for a group: (&(groupattr=group)(memberattr=username)(groupfilter)) default: (objectClass=groupOfUniqueNames) memberattr : the attribute of the group object where the user dn may be found (default: uniqueMember) memberisdn: whether the memberattr is the dn of the user (default) or the value of userattr (usually uid) group: the name of group to search for groupscope: Scope for group searching: one, sub (default), or base debug: Enable/Disable debugging output (default: false)

To use this storage container, you have to use the following syntax:

<?php ...

$a = new Auth("LDAP", array( 'host' => 'localhost', 'port' => '389', 'version' => 3, 'basedn' => 'o=netsols,c=de', 'userattr' => 'uid' 'binddn' => 'cn=admin,o=netsols,c=de', 'bindpw' => 'password'));

$a2 = new Auth('LDAP', array( 'url' => 'ldaps://ldap.netsols.de', 'basedn' => 'o=netsols,c=de', 'userscope' => 'one', 'userdn' => 'ou=People', 'groupdn' => 'ou=Groups', 'groupfilter' => '(objectClass=posixGroup)', 'memberattr' => 'memberUid', 'memberisdn' => false, 'group' => 'admin' ));

This is a full blown example with user/group checking to an Active Directory

$a3 = new Auth('LDAP', array( 'host' => 'ldap.netsols.de', 'port' => 389, 'version' => 3, 'basedn' => 'dc=netsols,dc=de', 'binddn' => 'cn=Jan Wagner,cn=Users,dc=netsols,dc=de', 'bindpw' => 'password', 'userattr' => 'samAccountName', 'userfilter' => '(objectClass=user)', 'attributes' => array(''), 'group' => 'testing', 'groupattr' => 'samAccountName', 'groupfilter' => '(objectClass=group)', 'memberattr' => 'member', 'memberisdn' => true, 'groupdn' => 'cn=Users', 'groupscope' => 'one', 'debug' => true);

The parameter values have to correspond to the ones for your LDAP server of course.

When talking to a Microsoft ActiveDirectory server you have to use 'samaccountname' as the 'userattr' and follow special rules to translate the ActiveDirectory directory names into 'basedn'. The 'basedn' for the default 'Users' folder on an ActiveDirectory server for the ActiveDirectory Domain (which is not related to its DNS name) "win2000.example.org" would be: "CN=Users, DC=win2000, DC=example, DC=org' where every component of the domain name becomes a DC attribute of its own. If you want to use a custom users folder you have to replace "CN=Users" with a sequence of "OU" attributes that specify the path to your custom folder in reverse order. So the ActiveDirectory folder "win2000.example.org\Custom\Accounts" would become "OU=Accounts, OU=Custom, DC=win2000, DC=example, DC=org'

It seems that binding anonymously to an Active Directory is not allowed, so you have to set binddn and bindpw for user searching,

Example a3 shows a tested example for connenction to Windows 2000 Active Directory



[ Top ]

Class Variables

$conn_id =  false

[line 168]

Connection ID of LDAP Link

Type:   string


[ Top ]

$options = array()

[line 162]

Options for the class

Type:   array


[ Top ]


Method Detail

Auth_Container_LDAP (Constructor)   [line 176]

object Returns Auth_Container_LDAP( $params, $params)

Constructor of the container class
  • Return: an error object if something went wrong

Parameters:

$params,   $params   —  associative hash with host,port,basedn and userattr key

[ Top ]

checkGroup   [line 469]

boolean checkGroup( string $user)

Validate group membership

Searches the LDAP server for group membership of the authenticated user


Parameters:

string   $user   —  Distinguished Name of the authenticated User

[ Top ]

fetchData   [line 377]

boolean fetchData( string $username, string $password)

Fetch data from LDAP server

Searches the LDAP server for the given username/password combination.


Overrides Auth_Container::fetchData() (Fetch data from storage container)

Parameters:

string   $username   —  Username
string   $password   —  Password

[ Top ]
Documentation generated on Mon, 11 Mar 2019 13:52:32 -0400 by phpDocumentor 1.4.4. PEAR Logo Copyright © PHP Group 2004.