Using active directory to authenticate users on intranet site

kallakafar picture kallakafar · Jul 21, 2013 · Viewed 84.7k times · Source

I have an 'intranet' site that I have built, which has a login system of its own (users register as new users, and use the username/password thereon to login to the site). However, now I want to extend it, and have the intranet site use the existing ActiveDirectory for authentication. This is what I am looking for, going forward -

When a user access this intranet site (http://intranetsite/mySite), the user's domain credentials are validated against the active directory, and if the user's credentials match AD, the user is then presented the main page of the intranet site.

I am new to AD, and do not know how to go about this configuration. My intranet site is built around PHP and uses Apache on the application server; the AD is on a different IIS server.

What information do I need, and where do I put this information (into my site? htaccess? anywhere else?) so that I can use AD authentication? Is just 'configuration' enough, or do I need to write explicit PHP code for this authentication?

Any pointers are much appreciated.

Answer

Robert Rossmann picture Robert Rossmann · Jul 21, 2013

If you are looking only for authentication and nothing else, you may get away with only a few lines of code.

First, ensure you have ldap enabled in your php.

Here's pure php implementation:
(note that when doing it this way you should ensure that you DO HAVE a username and a password from a user - anonymous binding will almost always return true for AD)

$link = ldap_connect('domain.com'); // Your domain or domain server

if(! $link) {
    // Could not connect to server - handle error appropriately
}

ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD

// Now try to authenticate with credentials provided by user
if (! ldap_bind($link, '[email protected]', 'SomeSecret')) {
    // Invalid credentials! Handle error appropriately
}
// Bind was successful - continue

If you expect to do more fun stuff with Active Directory like pulling some information about currently logged in user I strongly recommend using a framework to do the heavy lifting for you. As already mentioned, adLDAP is a good one and if you run PHP 5.4 I dare recommending the AD-X library which I actively develop (you can install it via Composer).

With the AD-X library, you can verify a user's credentials using this code:

try {
    $link = new ADX\Core\Link('domain.com'); // Establish connection to AD
    $link->bind('[email protected]', 'SomeSecret'); // Authenticate user
}
catch (ADX\Core\ServerUnreachableException $e) {
    // Unable to connect to server, handle error
}
catch (ADX\Core\InvalidCredentialsException $e) {
    // Invalid credentials supplied
}
catch (Exception $e) {
    // Something else happened, check the exception and handle appropriately
}

// Successfully authenticated if no exception has been thrown

Feel free to choose which suits you best. However, if you expect to do more than authenticate I strongly suggest you use a library for the ldap work - it will save you a lot of time and possibly frustration when things do not work as you would expect them to.

Also, if in doubt what information you can/should use to connect and to authenticate feel free to check my previous answer on this topic.