Home > active directory, howto, network management, php, scripting, server 2003, Uncategorized, web, windows, windows server > Accessing Active Directory in PHP using ADLDAP

Accessing Active Directory in PHP using ADLDAP

Lately, our company has started developing user web portals for our clients. The main goal is to provide a central reference point for common links (webmail, helpdesk, remote assistance links … ), howto documents, and other files and resources. A secondary goal was to also allow user administrators to perform basic user management through a web interface. This would include things like disabling/creating/unlocking user accounts, resetting passwords, and modifying group memberships for access reasons. Myself and the other admin tasked with setting up this portal are most familiar with PHP, and so we went of looking for the best means of interfacing with Active Directory through PHP.

Now, you can obviously use PHP’s built-in LDAP support, provided PHP was built –with-ldap. If you’re doing a lot of calls back and forth though, this can get pretty tedious pretty fast. It can also be quite intimidating to someone who is more of a sysadmin that a full-time developer (myself included!). So, abstracting away some of the complexity would be handy. I’m betting there are other systems out there, but for us, adldap was the answer.

Adldap provides an easy-to-use interface for both querying and modifying Active Directory. This post is not meant to be a complete setup guide, but rather just an overview, so here’s the quick summary:

  • Runs on Apache or IIS (although the documentation is a little thin on using IIS)
  • Might require some configuration in your environment to support secure LDAP queries over SSL
  • Incorporates into your PHP pages through a class definition file. Configure the settings in the provided adldap.php file to match your environment, include() it in your php page, initialize an instance of the class ($adldap = new adLDAP();), and you’re ready to go.
  • Allows you to add custom functions by adding to the class definition file.

If some of that sounds scary, don’t worry: It can sound more intimidating than it really is. If you have some reasonable PHP background, just go and check it out and get your feet wet. Like I said: Both myself and the other project contributor are not full-time developers, but we’ve thrown pretty useful AD integration into the portals. Heck, we’ve even started incorporating some AJAX on the site (with some help from Prototype…but that’s another post…) to work with adldap and make the thing pretty slick overall!

One thing that was getting at me a little bit was that I couldn’t just throw a custom ldap query string into aldap and get the results. Part of the abstraction is that you get a set of functions for querying for specific types of information: user_info(), user_delete(), authenticate(), group_create(), etc, but no raw ldap query function. So I checked out how the thing is put together, and I bastardized some of the existing functions to suit my purposes. If you’re familiar with ldap queries, add the following code into your aldap.php class definition file, and you’ve got yourself an easy way of performing custom ldap queries:

function any_info($filter=NULL,$fields=NULL){
// Written by Hugo Slabbert (JustAnotherSysadmin - https://justanothersysadmin.wordpress.com) from other functions; defaults to root
if (!$this->_bind){ return (false); }
if ( $filter==NULL ){ $filter="(&(objectclass=domainDNS)(!(distinguishedname=" . $this->_base_dn . ")))"; }
if ($fields==NULL){ $fields=array("name","cn","displayname","dn"); }
$sr=ldap_search($this->_conn,$this->_base_dn,$filter,$fields);
$entries = ldap_get_entries($this->_conn, $sr);

return ($entries);
}

If you do use the code snippet, I just ask that you keep the comments in tact. I don’t mind sharing, but I’d like a little bit of the credit!

When you use the any_info() function above, it takes two parameters: your ldap query ($filter), and an array of which attributes you wish to return for the objects that match your query ($fields). If you leave the second parameter blank, the default attributes of name, cn (canonical name), display name, and dn (distinguished name) will be returned.

So, go ahead! Try it out! Let me know if it works for you and what doesn’t. I do have two final recommendations, though:

  1. If you run into technical difficulties getting adldap running properly, you’re probably better off going through their actual support (forums, documentation, etc.) than posting requests here. I’ve used the system, but I’m betting you will get way better support from the actual devs!
  2. Remember that the point of this tool is to enable access to your Active Directory through the a web interface. Secure your web app accordingly! Putting powerful tools on the web is great, but realize that you are doing just that: Putting POWERFUL tools on the web! You are the best judge (hopefully!) of what suits your organization.

Happy coding!

Bitcoin tip address for this post: 13344S6vTAmrM5De7DermysvN6UE3QDSzb

Advertisements
  1. Rafael
    2012-08-09 at 06:14

    Hello, okay?

    I saw that you were working on a project adLDAP (http://adldap.sourceforge.net), you have completed this project, have any examples that you can send me?

    Att.

    • 2012-08-19 at 11:43

      Hi Rafael,

      I’m not the author of adLDAP overall. The portal we were working on was sidelined by other projects and ended up being shelved, and I’ve actually moved on from that company since. Were you asking about examples from that portal or from adLDAP? If the former, then I no longer access to that code, and that was all for internal use and not really something I can release at any rate. If the latter, then probably checking out adLDAP’s forums is a better bet.

      JaS

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: