PHP Library to Connect to LDAP Server

Home > LDAP, PHP > PHP Library to Connect to LDAP Server

PHP Library to Connect to LDAP Server

July 26th, 2009 akhmad daniel sembiring Leave a comment Go to comments

Initialization
Adding A New User Account
Updating User Account
Change User’s Password
Delete A User Account

This article describes a simple PHP library to connect to an LDAP server to manipulate user data inside. The user manipulation includes adding, updating, changing password, and deleting user account. To use the library, simply include it to a script that do the manipulation.

Initialization

Here is the initialization section for connecting to an LDAP server.

$cfg[‘ldap_host’] = ‘192.168.1.1′;
$cfg[‘ldap_baseDN’] = ‘cn=people,dc=company,dc=com’;
$cfg[‘ldap_manager_user’] = ‘cn=root,dc=company,dc=com’;
$cfg[‘ldap_manager_pwd’] = ‘12345′;

The ldap_host is the host name or IP address of the LDAP server we wish to connect to. The ldap_baseDN is the base distinguished name where our query to the server is on. The ldap_manager_user and ldap_manager_pwd is the administrative username and password that have access to manipulate other user account. Replace the above parameters to match to your own LDAP server configuration.

Adding A New User Account

Here is the function to add a new user account:

function addUser($login, $pass, $profil)
{
global $cfg;
$ldapconn=ldap_connect($cfg[‘ldap_host’]) or die("Could not connect to $ldaphost");
if ($ldapconn)
{
$username = $cfg[‘ldap_manager_user’];
$password = $cfg[‘ldap_manager_pwd’];

if (@ldap_bind($ldapconn, $username, $password))
{
$sr=ldap_search($ldapconn, $cfg[‘ldap_baseDN’], "sn=*");
$info["cn"] = "$login";
$info["sn"] = "$login";
$info["uid"] = "$login";

$pwd_md5=base64_encode(pack("H*", md5($pass)));
$info["userpassword"] = "{MD5}".$pwd_md5;
$info["objectclass"] = "inetOrgPerson";

// add data to directory
if(@ldap_add($ldapconn, "cn=$login, ". $cfg[‘ldap_baseDN’] , $info))
$s = "OK";
else
$s = "Error: " . ldap_error($ldapconn);

ldap_close($ldapconn);

}//end if ldap_bind
else
{
$s = "Error: " . ldap_error($ldapconn);
}
}//end if ldapconn
else
{
$s = "Error: " . ldap_error($ldapconn);
}

return $s;
}

First we do the connection to LDAP server by using ldap_connect() function. Nothing special with this function, it just take one parameter which is the address of the LDAP server to connect to. If the connection was failed simply exit the script.

If it was successful, the do the LDAP binding by calling ldap_bind() function. This function takes three parameters: the connection handle to server previously established, the username and password to do the binding. If it was failed, then return an error message from the server.

If it was successful, first do a search on the base distinguished name, prepare the user account info to be added in $info array variable, prepare the password for the account, then call the ldap_add() function. This function takes three parameter: the connection handle to the server, the user account name to be added (in the case “cn=$login, “ concatenated with the base DN), and the user account profile $info.

Preparing the password should be done by calling base64_encode(pack("H*", md5($pass))); if it is not, for example just using the md5(), then the password will not match.

If the addition was successful, the return “OK”, else return the error message from the server. Then, close the server connection by calling ldap_close() on the connection handle.

Updating User Account

Here is the function to update user profile:

function editUser($login,$profil)
{
global $cfg;
$ldapconn=ldap_connect($cfg[‘ldap_host’]) or die("Could not connect to $ldaphost");

// bila connect
if ($ldapconn)
{
// bind
$username = $cfg[ldap_manager_user];
$password = $cfg[ldap_manager_pwd];

if (@ldap_bind($ldapconn, $username, $password))
{
// prepare data
foreach($profil as $key => $value)
{
if($value)
{
$info[$key] = $profil[$key];
}
else
{
$info[$key] = "n/a";
}

}

$info["sn"] = "$login";
$info["uid"] = "$login";
$info["objectclass"] = "inetOrgPerson";

// add data to directory
if(@ldap_modify($ldapconn, "cn=$login, ". $cfg[‘ldap_baseDN’], $info))
$s="OK";
else
$s = "Error: " . ldap_error($ldapconn);

ldap_close($ldapconn);
}
} ///end if ldapconn
else
{
$s = "Error: " . ldap_error($ldapconn);
}

return $s;
}

If the binding was successful, then we iterate for each items in the $profil array, while storing the keys and values of the array into $key and $value variable for each iteration. In the $value is not empty then fill the value of the profil array of this key into $info array variable with the same key. If it was empty the fill the $info on the key with “n/a”.

Next, we fill the $info on the key of “sn” and “uid” with the value of $login, and the key of “objectClass” with “inetOrgPerson”.

Then, we call the ldap_modify() function. This function takes three parameters: the connection handle to the server, the user account name to be modified (in the case “cn=$login, “ concatenated with the base DN), and the user account profile $info.

If the modification was successful, the return “OK”, else return the error message from the server. Then, close the server connection by calling ldap_close() on the connection handle.

Change User’s Password

Here is the function to change user’s password:

function pwdUser($login, $pass)
{
global $cfg;

$ldapconn=ldap_connect($cfg[‘ldap_host’]) or die("Could not connect to $ldaphost");

if ($ldapconn)
{
$username = $cfg[ldap_manager_user];
$password = $cfg[ldap_manager_pwd];

if (@ldap_bind($ldapconn, $username, $password))
{
$pwd_md5=base64_encode(pack("H*", md5($pass)));
$info["userpassword"] = "{MD5}".$pwd_md5;
// add data to directory
if(@ldap_modify($ldapconn, "cn=$login, " . $cfg[‘ldap_baseDN’], $info))
$s="OK";
else
$s = "Error: " . ldap_error($ldapconn);
ldap_close($ldapconn);
}
else
{
$s = "Error: " . ldap_error($ldapconn);
}
} ///end if ldapconn
else
{
$s = "Error: " . ldap_error($ldapconn);
}
return $s;
}

If the binding was successful, we prepare the user password which should be done by calling $pwd_md5 = base64_encode(pack("H*", md5($pass))); if it is not, for example just using the md5(), then the password will not match. Then we fill the $info array on the key of “userpassword” with the value of "{MD5}".$pwd_md5.

If the modification was successful, the return “OK”, else return the error message from the server. Then, close the server connection by calling ldap_close() on the connection handle.

Delete A User Account

Here is the function to delete an account:

function deleteUser($login)
{
global $cfg;

$ldapconn=ldap_connect($cfg[‘ldap_host’]) or die("Could not connect to $ldaphost");

if ($ldapconn)
{
$username = $cfg[ldap_manager_user];
$password = $cfg[ldap_manager_pwd];

if (@ldap_bind($ldapconn, $username, $password))
{
if(@ldap_delete($ldapconn, "cn=$login, " . $cfg[‘ldap_baseDN’]))
$s="OK";
else
$s = "Error: " . ldap_error($ldapconn);
ldap_close($ldapconn);
}
else
{
$s = "Error: " . ldap_error($ldapconn);
}
} ///end if ldapconn
else
{
$s = "Error: " . ldap_error($ldapconn);
}
return $s;
}

If the binding was successful, we call the ldap_delete() function.This function takes two parameters: the connection handle to the server and the user account name to be deleted (in the case “cn=$login, “ concatenated with the base DN).

If the deletion was successful, the return “OK”, else return the error message from the server. Then, close the server connection by calling ldap_close() on the connection handle.