I am working on an internal in and out board for our work place. Our current application is having issues plus it is being hosted on Windows Serer 2003 which is losing support come July (2015). We are starting on a new application since our old one is now 7 years old and we have no staff able to edit it. Our old application is written in asp.net while we want to be able to use PHP with our new product. My question is basically what do I need to research to learn LDAP and php. I know our current application uses the current windows user to authenicate, no logging in or anything. All it does is use the user to display "Welcome John Smith!" and has options for the user to indicate whether they are in or out at the current time as well as a comments field, it then takes the information and pushes it into SQL 2005 with a table that has users, status and comment and that is it. Our new application is going to be running on a Windows 2008 R2 server with IIS 7.5, PHP, FastCGI and LDAP extentions running. I have been googleing around but I don't know what exactly to look for. I haven't found any good code that is really newbie friendly to help start learning LDAP. I was using PHP's manuels on various parts but still don't really know if I understand any of it. I figured I would post here with what we are trying to do and see if you could point me in the right direction to resources to help me accomplish our task. I know we'll need to connect to LDAP and I've done that and then we have to do something with LDAP_BIND like:

$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);

I have the $ldapconn down but the $ldapuser is not the local user right, it is our ldap user set up to be able to access AD correct?

Anyways, I don't really know how else to explain it so if anyone can help in any way please let us know. Our old system is litrally falling apart and we would like to establish a new system that will work for many years to come.

2 Years
Discussion Span
Last Post by mattster

is written in asp.net while we want to be able to use PHP with our new product

(for a network that seems to be running Windows servers and Acive Directory) Why would you want to do that? the current app leverages that because you can see that by using IIS in Windows authentication mode its fairly easy to work with domain credentials... but OK.. dont want to get into a long discussion about asp.net vs php here... i know that i'm probably in the minority here.

I dont know PHP, but i do know asp.net and Active Directory.

I have the $ldapconn down but the $ldapuser is not the local user right, it is our ldap user set up to be able to access AD correct?

anonymous authentication to perform a read or write in the Active directory (AD) is not allowed by default. to connect to AD, you have to present AD with a set of credentials (username and password). So in your ldap_bind method, you have to tell it how to connect and what username and password should be used in that connection. By default all user accounts in the domain have read access.

if you plan on doing writes such as updating information in AD, you will have to delegate the appropriate permissions to those objects in AD to the account that is making the connection.


Going on about Anonymous authentication, I know following a few tutorials it says to turn it off. When I do turn it off I get errors saying I don't have permission to view the page (Not authenticated, makes good sense). I tried to use an authentication script found online to see if it would work but I still get the error.

I am not sure if I understand this correctly so I am going to write it out how I think it works.

In php I could use $_SERVER['AUTH_USER'] to grab the name of the user logged into the account. However I also saw somewhere that this requires anaonymous authentication to be turned off. When I turn it off I get an error, but even when I hard code in my user credidentials I get the error. How do I authenicate when turning off anonymous athenticating. I have this code:

$adServer = "ldap://myserver.domain.com";

    $ldap = ldap_connect($adServer);
    $username = "user here";
    $password = "pass here";

    $ldaprdn = 'DOMAIN' . "\\" . $username;

    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

    $bind = @ldap_bind($ldap, $ldaprdn, $password);

    if ($bind) {
        $result = ldap_search($ldap,"dc=domain,dc=com",$filter);
        $info = ldap_get_entries($ldap, $result);
        for ($i=0; $i<$info["count"]; $i++)
            if($info['count'] > 1)
            echo "<p>You are accessing <strong> ". $info[$i]["sn"][0] .", " . $info[$i]["givenname"][0] ."</strong><br /> (" . $info[$i]["samaccountname"][0] .")</p>\n";
            echo '<pre>';
            echo '</pre>';
            $userDn = $info[$i]["distinguishedname"][0]; 
    } else {
        $msg = "Invalid email address / password";
        echo $msg;

When I have authentication off I can view the AD information reguarding the person, this is what I want since our whole idea is to basically say the name and then push it to a database for the in or out status (We are also building in a ticket system). I know this code just shows all the AD information but doesn't the top part work as an authentication script which should allow me to get past the authentication block?


I dont want to confuse you and the php you provided is over my head, but no worries, there are several PHP gurus on this site that will surely help.

There are two authentication conversations here... authentication at the web server level.. for example in IIS you configure the server for anonymous, windows authentication, etc... and what I was talking about regarding ldap where you normally have to present username and password to the ldap server (assuming anonymous autentication in AD/LDAP is disabled which is a good idea for it to be disabled.

I hope this helps.


I have a few more questions for anyone:

The script I posted above works but requires users to log in, our current systems used the local computer's user to authenticate. My question is related to that, can we still use the user logged into the computer to authenticate? Also do we absolutely have to have Anonymous Authentication disabled? If we do how do we authenticate because with it disabled nothing I can do allows me to see the pages but rather the message saying that my user isn't authenticated.

Also, we have an Active Directory user that is an administrator account used for our last in out systems, do we use his user and pass as the LDAP account like how our current system works? Does that account essentially query AD pulling records that math the current user name logged into a computer. How does this part all work.

If you have any questions because I am sure what I wrote makes little sense, let me know and I will try and clear things up as best as I can.


If you are building a product in PHP on this type of server setup, you need to be sure you're happy with this. Its quite a rare configuration, therefore knowledge, upgrading and support will become difficult. Generally (as @JorgeM points out), ASP.Net is the more common choice for this sort of setup - since the language is designed to work with Windows.

Unline ASP.NET, I don't think you can use the user logged in to the computer to authentacate in your application. (May be wrong)

In responce to the anonymous authentacation question, you CAN login anonymously. According to the manual (http://php.net/manual/en/function.ldap-bind.php), just call the function without the username/password parameters.

PHP queries the AD, yes. For a more thorogh explaination of LDAP, look at this great article.

For general reference, this article is quite useful. It also mentions using the Zend framework, which contains a specialised library for this, which may be much much eaiser to work with overall.

Edited by mattster

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.