Asked  7 Months ago    Answers:  5   Viewed   41 times

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?

  • Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.

 Answers

16

Importing a whole library seems inefficient when all you need is essentially two lines of code...

$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}
Wednesday, March 31, 2021
 
Novalirium
answered 7 Months ago
31

You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:

TLS_REQCERT never

This solution is not the preferred one though. You should add the required CA root to your client and ensure that the certificate is correctly generated with the server's name in it (and if my memory serves me right the complete CA chain) otherwise nothing would stop someone to perform a MITM attack.

Wednesday, March 31, 2021
 
Hilmi
answered 7 Months ago
11

As you run it from server itself, and you just want to read I would try to use :

...
if(ldap_bind($ldap))
...

According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.

Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.

Saturday, May 29, 2021
 
BrunoRamalho
answered 5 Months ago
37

I've gone through many more articles on the net and finally found the solution from Bonitasoft's Q&A JAAS config for Active Directory LDAP

JAAS Config:

AESLogin_ADx {
    com.sun.security.auth.module.LdapLoginModule REQUIRED
    userProvider="ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw"
    authIdentity="{USERNAME}@rdl.com.tw"
    userFilter="(&(|(samAccountName={USERNAME})(userPrincipalName={USERNAME})(cn={USERNAME}))(objectClass=user))"
    useSSL=false
    debug=true;
};

Result:

[LdapLoginModule] authentication-first mode; SSL disabled
[LdapLoginModule] user provider: ldap://192.168.0.81:389/CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] attempting to authenticate user: ahsieh
[LdapLoginModule] searching for entry belonging to user: ahsieh
[LdapLoginModule] found entry: CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw
[LdapLoginModule] authentication succeeded
[LdapLoginModule] added LdapPrincipal "CN=Arthur Hsieh,CN=Users,DC=rdl,DC=com,DC=tw" to Subject
[LdapLoginModule] added UserPrincipal "ahsieh" to Subject
Wednesday, August 18, 2021
 
vcsjones
answered 2 Months ago
97

1) Is it reasonable to combine AD authorization with JWT as bearer token or what is the preferred way to build a secure backend + frontend utilizing AD for authentication?

It is reasonable, but if you are already using Kerberos and AD to initially authenticate the user, you might consider using s4u2proxy constrained delegation which allows the service to present the user's service ticket to the KDC and acquire (subject to authorisation checks) a ticket for a backend service (and repeat for as many services are necessary).

If you have a lot of backend services that need to be contacted, a single JWT bearing all the authorization claims needed for all the services to enforce authorization policy may be a better option.

2) If JWT is a good idea, what is the best practice for securing endpoints using JWT? Is using a server side session reasonable?

General key security practices apply:

  • Never store keys in the clear in non-volatile storage, anywhere.
  • Ideally do not store encrypted keys in attached storage on the server where, if the server is compromised, they would be subject to offline attack. Make them available to the host only at server startup.
  • Ensure key material resides in secure memory so that it cannot be swapped to disk (and/or use encrypted swap).
  • Use public key algorithms so that no secret key need exist on multiple hosts.
  • Consider using a hardware security module (HSM).
Friday, September 10, 2021
 
Hexaholic
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :