You are viewing revision #1 of this wiki article.
This version may not be up to date with the latest version.
You may want to view the differences to the latest version.
It took me a while to get ldap auth working with yii, so I write it down here, maybe it can be of some use.
Yii does not have a ldap class by itself, but you can extend it for example with Zend classes. To authenticate users at you page via ldap, change protected/components/UserIdentity.php in the following way:
On top of the file add:
Yii::import('application.vendors.*');
require_once('Zend/Ldap.php');
Delete or comment out everything in the authenticate() function. Then add
$options = array(
'host' => 'your.ldap.host.com',
'username' => 'your_admin_users_username',
'password' => 'your_admin_users_password',
'baseDn' => 'your_base_dn',
'useStartTls' => true, # if you need startTls
);
$ldap = new Zend_Ldap($options);
try{
$ldap->bind("cn=".$this->username.",your_base_dn", $this->password);
$auth=true;
}
catch (Exception $e){
$auth=false;
}
if($auth===true)
{
$this->errorCode=self::ERROR_NONE;
}
return !$this->errorCode;
For this to work you need Exception.php, Ldap.php and the Ldap folder from the library folder of a Zend installation in the folder protected/vendors/Zend
okay
yes it's works.
fyi, ldap server configuration may vary, i use uid instead of cn.
$ldap->bind("uid=".$this->username.",ou=People,dc=blahblah,dc=com", $this->password);
thanks!
adLDAP
You guys should take a look at this:
http://adldap.sourceforge.net/
I've done the same thing with 6 lines of code. Couldn't be simpler! :)
Why not use php ldap internal functions instead of zend's?
If it is just for validation you can aswell use the native LDAP functions of php without having to download/extract classes from another framework (and without exposing the admin passwd of the ldap server).
I have something along the line of the following (wrapped conveniently on a try/catch block in case the ldap connection cannot be established) working for about 1 year with no problem:
$ds=ldap_connect($serverURL); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($ds) { $r=ldap_bind($ds,"uid=$this->username,ou=Users,dc=example,dc=com",$this->password); if (!$r) { $this->errorCode=self::ERROR_PASSWORD_INVALID; } else { $this->errorCode=self::ERROR_NONE; } } return !$this->errorCode;
Thank you very much
I was just looking for this and this worked like a charm!
Thank you.
ldap_connect error ()
I generated the following error: Fatal error: Call to undefined function ldap_connect()
that extention library or should I include?
urgent help please! = D
fact identical to the example code
@Navarr
thanks for your reply, as I php_ldap.dll or php_ldap.so? where I can get in that directory and go?
@Navarr
Should uncomment the following line: Before Code ;extension = php_ldap.dll
Rate Code: extension = php_ldap.dll
only, or should I see other extensions that I have to move?
@Navarr
help...
I generated the following error:
ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials
Active Directory
If you use active directory then:
In UserIdentity.php
public function authenticate() { $options = Yii::app()->params['ldap']; $connection = ldap_connect($options['host'], $options['port']); ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($connection, LDAP_OPT_REFERRALS, 0); if($connection) { try { @$bind = ldap_bind($connection, $options['domain']."\\".$this->username, $this->password); } catch (Exception $e){ echo $e->getMessage(); } if(!$bind) $this->errorCode = self::ERROR_PASSWORD_INVALID; else $this->errorCode = self::ERROR_NONE; } return !$this->errorCode; }
main.php
'params'=>array( 'ldap' => array( 'host' => 'serverAd.example.com', 'port' => 389, 'domain' => 'MYDOMAIN', ),
adLDAP
i am trying to use adLDAP but i am having errors, can you provide more information about how to use it
Active Directory
@Ace D.
This worked to me!!
$bind = @ldap_bind($connection, $this->username."@".$options['domain'], $this->password);
Error validation
It's work for me if I login right username and password, but if login wrong password i got an error :
ldap_bind() [<a href='function.ldap-bind'>function.ldap-bind</a>]: Unable to bind to server: Invalid credentials
how to return/redirect login form to validate username and password?
@Finzaiko
You need to silence the ldap_bind error by prefixing it with a @. I've amended the article to reflect that.
Note: in general this is a bad thing to do, but in this case it may be necessary. Ldap should really be re-worked into some sort of an object resource that throws exceptions instead of errors.
Two-step login
Note, that there are systems and LDAP configurations, which requires two-step login approach, in which you don't construct your own DN!
First, you bind anonymously, by specifying only
$bind = @ldap_bind($connection);
, then you search for a given username (usingldap_search
). This search will return you a valid user's DN (orNULL
, if particular user does not exist).Second, using returned LDAP you issue another
ldap_bind
, this time attempting to actually login user.Question about authorization manager after successfully authenticating (with LDAP)
Hi, firstly thank you for this tutorial. My question is about authorization. If I want to have a few different levels based on the group membership of the users (who successfully login - authentication with LDAP as per your tutorial), what steps should I follow? I'm using gii and giix to generate my CRUD forms and then making changes to fit my requirements. Thank you
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.