Search code examples
phpldap

How do I bind with multiple Active Directory OU with LDAP

I am creating a login page that uses Active Directory credentials. I found some documentation about LDAP in the PHP Manual and managed to successfully login using Active Directory credentials by binding with LDAP.

My challenge is that I have multiple Organizational Units (OU) and can't find an efficient way to bind using OUs.

Currently I am using a for loop to loop over each OU in an array. However, this throws an error each time the incorrect OU is being used. I am new to LDAP and found resources that mentioned ldap_search; however, I was not able to successfully bind without including the OU. Any advice/ help would be great.

$ou=array("Group1", "Group2", "Group3", "Group4", "Group5");



$arrlength = count($ou);

for($x = 0; $x < $arrlength; $x++){



    
    
    
    $ldapuser = "CN=".$_POST["username"].",OU=".$ou[$x].",DC=com,DC=com";

    $ldappass = trim($_POST["password"]);
    

    //LDAP server connection

    
    $ldapserver = "ldaps:server.domain";

            
    

    //options are require, never, allow
    //require is most secure, the others could allow for man in the middle attacks
    putenv('LDAPTLS_REQCERT=require');

        
    // connect to ldap server
    $ldapconn = ldap_connect($ldapserver) or die ("Couldn't connect");

    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

    // binding to ldap server
    $ldapbind = false;

   

      $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);
      if ($ldapbind) {

     
          $x = $arrlength;

     }
Solution

  • The most common generic method (i.e. one that'll work with any kind of LDAP system) is:

    1. Bind using a preconfigured "service" account and password. (Ask the AD admins to create a dedicated account for your webapp. They might need to add it to the "Pre-Win2000 systems" group.)

    2. Search the LDAP directory for the username to find the correct user account object.

      (You can search by any attribute you like, but note that the username is usually sAMAccountName, not the CN – the CN field is supposed to hold the user's "real" name. This also means that a user's DN may change, so you have to search it every time.)

    3. Unbind (disconnect), then connect/bind again with the user's DN that you just found.

    If this is specifically Active Directory, there's a shortcut – you can bind to AD LDAP without knowing the user's DN at all, just by specifying the UPN (i.e. username@domain) within the "bind DN" field. This won't work with other server types, and won't be all that useful if you also need to retrieve the user's attributes (still need a search for that...)

    Also, if this is AD, you'll usually want to disable the REFERRALS option.