如何在php中使用LDAP从Active Directory搜索和更新用户数据？

Question

I using php 5.6 and i try search user in Active Directory by LDAP in php. Example search:

ldap_connect($host, '389');
ldap_search($client, 'DC=shamsa,DC=real,DC=kamchatka,DC=ru', '(&(objectClass=user)(CN=user_name))', '*');

I successfully get user data, but userPassword does not exist in returned fields. I need user password for compare password from Active Data and password entered by user.

How i can get user password from Active Data or how compare password entered by user and password in Active Directory without getting?

By the way, also, i need update user data in Active Directory. For example update name and email fields. How i can do that?

Thank you for answers.

Answer 1

If you only want to compare the password the user provided in a login interface with the password stored in LDAP/Active Directory you should use the ldap_bind command for that with the users dn and the password. It returns true when password and username/DN match and false when not.

To get the DN you'd typically bind with a known user that has read access to the ldap, search for the user by its username and then bind again with the returned users DN and the password. There is a gist that illustrates that at https://gist.github.com/heiglandreas/5689592

If you also want to set the users password you'd want to bind with the user as well as usually only the user (and admin accounts) are allowed to read (and write) the users password. So you'd also want to proceed as before but then add a call to update the users password-attribute. For a solution and more in depth knowledge have a look at fe http://www.letu.edu/people/markroedel/netcccu/activedirectorypasswordchanges.htm

Updating other userdata than password will also be done using ldap_modify or ldap_mod_replace

Answer 2

Use ldap_modify to update an ldap entry. It's pretty simple :

$entry['mail'] = 'example@domain.com';
$entry['cn'] = 'test';
ldap_modify($connection, $dn, $entry);

---

userPassword is an operational attribute.

An operational attribute is used internally by the server. Generally, it is readable but can't be modified by a user.

In order to retrieve an operational attribute, you have to require it explicitely or request all of them using the special attribute + (like you did with * to request all user attributes).

You can also request all (both user and operational) attributes with :

ldap_search($connection, $base_dn, $filter, ['*', '+']);

Now, you want to compare a submitted user password with a password hash string stored in AD. That means you need to manually encrypt/hash/salt the submitted string according to the hash scheme used by AD (eg : {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, ... ) so that the comparison is feasible.

Here an example of how to manually generate a {MD5} hash based on a clear text password :

$hash = '{md5}' . base64_encode(pack('H*', md5($clear_txt_passwd)));

=> This is not straightforward and a match is not guaranteed even if the input string is correct since you may encounter interoperability issues between ldap implementations and/or systems/OSs (hash/salt functions can differ from one to another, especially using crypt library that is system dependant).

If you want to test user authentication directly against AD, just use ldap_bind :

$bind = ldap_bind($connection, $dn, $passwd); // returns TRUE on success, FALSE on failure.
echo "$dn\n" . ($bind ? 'LDAP bind OK' : 'LDAP bind failed');

But if, for example, users credentials are to be checked both against an existing openLdap server and AD, it would require to constantly sync/replicate user entries, instead it is better to keep one single authentication backend. In such case you would have to use Pass-Through Authentication using the dedicated {SASL} scheme in the 1st backend (openLDAP in this example) : With this configuration, Cyrus SASL is used as a password handler and delegates password verification to any back-end server with SASL supports for checking passwords (AD in your case but it could be Kerberos or an IMAP server).