Advertisment

Authenticate PHP Apps Against an Active Directory

author-image
PCQ Bureau
New Update

A directory service like Active Directory in Windows is used to store users'

information (name, address, e-mail, phone etc.) in a centralized location.

Besides being used as directory, Active Directory is used for authentication in

a network. This means Active Directory can store login credentials (username and

password) of users to allow them access applications and network resources. All

applications will look up the directory service to validate the login

credentials as opposed to storing the credentials in their own store (like their

own databases). If a user wants to change his password, he only needs to change

it at one place -at the Active Directory. Subsequently, he would be able to log

on to all the applications with his new password.



Windows and Windows applications can easily integrate for Active Directory
—after all Active Directory is the de facto directory services on Windows. What

about an application developed in open source technology ? What about open

source products ?

Advertisment

PHP is undoubtedly one of the most popular open source language for

developing web applications. What if, you are writing a new PHP application for

your organization and want that application to authenticate against an existing

Active Directory server? The answer is to use a PHP library of functions called

adLDAP (as explained later). Next, numerous open source web applications (like

blogs, content management systems) and enterprise applications (like CRM and

mailing lists) have been written in PHP. In this article, we explain how to

configure the following PHP based open source applications to authenticate

against an Active Directory:

SugarCRM



(www.sugarcrm.com): A customer relationship management (CRM) system

Joomla



(www.joomla.org): A content management system

Advertisment

Wordpress



(www.wordpress.org): A blogging platform

phpBB



(www.phpbb.com): A web based discussion forum

PHPlist



(www.phplist.com): A newsletter/mailing list system

Advertisment

Active Directory setup



For this article, we used Windows Server 2008 and had setup pcqlinux.net as

the domain. Assuming that you have already installed and setup Active Directory,

let's create a user called 'Shekhar Govindarajan' in the directory. Click on

Start>Administrative Tools>Active Directory Users and Computers. Right click on

Users, under the domain, and select New>User. Type in the following details:

The ADSI Edit

console in Windows server gives a detailed peek into the directory

organization of Active Directory. This is quite useful to understand and

query an Active Directory. ADSI Edit can be launched via adsiedit.msc.

First name: Shekhar



Last name: Govindarajan


User logon name: shekhar.govindarajan

Advertisment

Click on 'Next' and type in the password as pass@word2. Uncheck the box 'User

must change password at next logon'. Click on 'Next' and then on 'Finish'. Right

click on the newly created user (found in the right pane) and select properties.

Under the General tab, type in shekhar. govindarajan@pcqlinux.net for Email. You

may like to substitute all the above mentioned details with your own. Next we

configure each of the above mentioned open source products. Note that almost all

these products can be installed on Windows too but that is not required for the

authentication. That is, you can deploy these products on Linux and they can

authenticate with an Active Directory on Windows. Also note that in many cases

we would require the credentials of an Active Directory account who can bind and

search through the directory. We will be using the Administrator account with

the password as pass@word1 for this purpose. In real world deployment, you must

not use the Administrator account but create a low privilege account for this

purpose.

Authenticate your custom PHP app



Using adLDAP, you can authenticate any custom or home made application

against an Active Directory. Download adLDAP from http://adldap.sourceforge. net

and extract the archive. You will find a file named adLDAP.php. Open this file

in a text editor and make the following changes (as per the Active Directory

setup):

var $_account_suffix="@pcqlinux.net";



var $_base_dn = "CN=Users,DC=pcqlinux,DC=net";


var $_domain_controllers = array ("ad.pcqlinux.net");

Advertisment

Note that for $_domain_ controllers you will need to specify the IP address

or the hostname (ad.pcqlinux.net in our case) of the Active Directory. Save the

file. Now in the login page (say login.php) of your PHP application include the

above file as:

include(“adLDAP.php”);

Next with the following code you can authenticate with the Active Directory:

Advertisment

function authenticateWithAd($username,$password)



{


$adLDAP = new adLDAP();


$auth = $adLDAP->authenticate($username,$password);


return $auth;


}



The function will return a 'true' if the authentication succeeds and a

'false', otherwise. Next we look at configuring existing open source products

for Active Directory authentication. Many have built-in capability. Others

require plugins or code modifications. We assume your familiarity with the

product(s) and will be explaining only the authentication part.

SugarCRM



For this article we used SugraCRM version 5.2.0a. After installing SugarCRM,

login as admin. Click on the Admin link on the top right. Under Users>User

Management>Create New User, create a new user with the details:

Advertisment
Fedora Directory

Service can be thought of the Active Directory for Linux. It uses LDAP and

provides graphical console for configuration. (Source:

directory.fedoraproject.org).

First Name: Shekhar



Last Name: Govindarajan


User Name: shekhar.govindarajan


Password: secret


Confirm Password: secret


Status: Active



Note that it is important to use the logon name in Active Directory as the

User Name in SugarCRM. The other details can be different. The password you

supply here is the SugarCRM password. SugarCRM will try to authenticate the user

against the Active Directory as well as this password. If either match, the user

is allowed to log in. Typically, you may like to give the users, only the Active

Directory password and set the SugarCRM password to something that is known only

to you, so that it can be used a fallback during occasions, like when the

directory service is down. Next, we will need to tell SugarCRM about our Active

Directory. For this click on Admin (top right link). Click on System Settings.

Under 'LDAP Authentication Support', check 'Enable LDAP' and then fill in the

following details:

Server: ad.pcqlinux.net



Port Number: 389


Base DN: CN=Users,DC=pcqlinux,DC=net


Bind Attribute: userPrincipalName


Login Attribute: sAMAccountName


Authenticated User: CN=Administrator,CN=Users,DC=pcqlinux,DC=net


Authenticated Password: pass@word1




Note that for Server you will need to specify the IP address or the hostname

(ad.pcqlinux.net in our case) of the Active Directory. Click on 'Save'. Log out

and try login as shekhar.govindarajan with the password as pass@word2 — the

Active Directory password for Shekhar.

Joomla



For this article we used Joomla version 1.5.9. After installing Joomla, login as
admin in the Joomla Administration Login. Click on Site>User Manager. Click on

'New'. Type in the following details:

Name: Shekhar Govindarajan



Username: shekhar.govindarajan


E-mail: shekhar.govindarajan@pcqlinux.net


Group: Public Back-end - Manager

Note the the Username must match the logon name of Active Directory. If you

want this user to login only using his active directory password you can leave

the password fields blank, else the user can login using his Joomla password

too. Next, Click on Extensions> Plugin Manager. Click on the plugin named

'Authentication — LDAP'. On the left, select 'Yes' for Enabled. On the right,

under Parameters, type in the following:

Host: ad.pcqlinux.net



Port: 389


LDAP V3: Yes


Negotiate TLS: No


Follow referrals: No


Authorisation Method: Bind and Search


Base DN: CN=Users,DC=pcqlinux,DC=net


Search String: sAMAccountName=


User's DN:


Connect username: cn=Administrator,cn=Users,dc=pcqlinux,dc=net


Connect password: pass@word1








Note that for Host you will need to specify the IP address or the hostname (ad.pcqlinux.net

in our case) of the Active Directory. Leave the other fields to their default.

Click on 'Save'.

Wordpress



For this article we used Wordpress version 2.7.1. To authenticate Wordpress
users with Active Directory you will need to download a Wordpress plugin called

'Simple LDAP Login'. The plugin can be downloaded from the URL http://downloads.wordpress.org/plugin/simple-ldap-login.1.2.zip.

Unzip the downloaded file in the directory wp-content/plugins directory.



Next, log into Wordpress as admin. First, we will need to activate the 'Simple
LDAP Login' plugin. For this, click on the Plugins menu on the left. Click on

the Activate link besides the 'Simple LDAP Login' plugin. Next, click on

Settings>”Simple LDAP Login” on the left. Type in the following:

Account Suffix: @pcqlinux.net



Base DN: CN=Users,DC=pcqlinux,DC=net


Domain Controller(s): ad.pcqlinux.net

Here the account suffix matches the domain in the 'User logon name' specified

in the Active Directory. Finally, you will need to create Wordpress users whose

usernames match the Active Directory logon names. Similar to SugarCRM and Joomla,

this setup allows users to login using either their Active Directory password or

the Wordpress password (specified while creating the Wordpress user).

phpBB



In case of phpBB (3.0.4), unlike the above products, the users can be
authenticated only against one source — either the Active Directory or the phpBB

database. For this reason, while phpBB installation, the username of the admin

user must match with the logon name of a Active Directory user. So if you opt

for the username as admin, do not forget to create a user named admin in the

Active Directory. After installation, login to the ACP (Administration Control

Panel). Under 'Client Configuration' click on Authentication and fill in the

following:

Select an authentication method: Ldap



LDAP server name: ad.pcqlinux.net


LDAP base dn: CN=User,DC=pcqlinux,DC=net


LDAP uid: sAMAccountName


LDAP user filder:


LDAP e-mail attribute: mail


LDAP user dn: CN=Administrator,CN=Users,DC=pcqlinux,DC=net


LDAP password: pass@word1





Click on submit.

phpList



For phpList we will use the adLDAP library (see above). The Active Directory

authentication can be used for the list admins. Create a list admin by following

'Main page'>admins (under Administrator functions). Click on add new admin. For

the username type in the Active Directory logon name (i.e. shekhar.govindarajan

in our case). Setup other parameters as per your case.



Next, we will modify the phpList code in such a way that besides admin (the
default list admin) all other list admins will be authenticated against the

Active Directory. Assuming that you have already modified adLDAP.php file as

explained above, copy this file to the subdirectory lists/admin of phpList. Next

open the file named phplist_auth.inc, found in lists/admin /auth, in a text

editor add the following line after

require_once dirname(__FILE__).'/../adLDAP.php';

Modify function validateLogin($login,$password) function, so that it looks as

follows:

function validateLogin($login,$password) {



$adldap = new adLDAP();


$admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id from %s
where loginname = "%s"',$GLOBALS<"tables"><"admin">,$login));



if ($admindata<"disabled">) {


return array(0,"your account has been disabled");


} elseif ($admindata<0> && (($login=="admin" && $admindata<0> == $password) || $adldap->authenticate($login,$password))
&& strlen($admindata<0>) > 3) {



return array($admindata<"id">,"OK");


} else {


return array(0,"invalid password");


}


return array(0,"Login failed");


}









Save the file. From now on, non 'admin' users will be authenticated against

the Active Directory.

Take home



Last year with PCQLinux 2008 (bundled with the March 2008 issue of PCQuest) we
had the appliances for CMS (Alfresco), web meeting (Webhuddle) and Messaging (Zimbra)

authenticating against LDAP-based Fedora Directory Services. This time, in this

article we looked at how to authenticate our own PHP applications with Active

Directory. We picked up popular open source, PHP-based products for CRM, CMS,

Blog and discussion forums, and configured them to authenticate against Windows

2007 Active Directory. We went to the extent of modifying the code of an open

source product (thanks to it being open source) for Active Directory

authentication. We hope that we have given you enough meat to meet the central

authentication nirvana with open source platform.

Advertisment