LDAP Authentication RPI Tutorial (Part 1)

After writing about how to use CAS with PHP, I thought I would write a post about how to use LDAP(Lightweight Directory Access Protocol) at RPI but these methods can be used anywhere. LDAP is a protocol to query user databases, this is a protocol that can be sed along with Active Directory, or another directory system for computers and user accounts. This protocol is widely used to allow different applications to interact with your user database. Here I will be showing how to implement search with LDAP to a web application. This guide will be using LDAP with PHP, this requires the LDAP module to be enabled within PHP; that will be the purpose of this article, then the next one will discuss how to actually query LDAP.

LDAP Linux (Debian/Ubuntu) Install

Linux is easy to get LDAP working with PHP, as long as you have a standard installation of Apache, with PHP 5 working.

  1. Install the LDAP module onto the machine, using either aptitude or apt-get
    • “sudo aptitude install php5-ldap”
    • OR “sudo apt-get install php5-ldap”
  2. PHP should now be able to use LDAP, if it is not working yet, you will need to restart Apache.
    • “sudo service apache2 restart”

LDAP Windows (XAMPP) Install

Xampp for Windows comes with LDAP, but there is a bug in their implementation and a file needs to be copied before LDAP will work. I am going to use “C:\xampp”, the default directory for Xampp in this example.

  1. Go into the PHP folder, C:\xampp\php\
  2. Edit the file “php.ini” with any text editor
  3. Find the line “;extension=php_ldap.dll”, and remove the semi-colon. “extension=php_ldap.dll”
  4. Now if you were to reboot Apache it should be working, but its not! Why not? There is a missing DLL. You need to
    copy libsasl.dll from c:\xampp\php\libsasl.dll to C:\xampp\apache\bin\.
  5. Now restart Apache

LDAP Search

Now that PHP can search LDAP we are going to want to start creating queries in PHP; but it is much easier to tweak the search in the command line, and then put that query into PHP. The following are steps that can be taken on a Linux computer (again Ubuntu/Debian) to install and use a ldap command line search.

  1. First we need to install the OpenLDAP utilities that will give us the “ldapsearch” command
    • “sudo aptitude install openldap-utils”
    • OR “sudo apt-get install openldap-utils”
  2. Now we are making our query
    • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
    • ldapsearch -h “ldap.rpi.edu” -x -b “dc=rpi, dc=edu” “uid=berk*”
    • Now this gives one result, and this can be used to see what data will be returned from this server. You can also try “ldap1.server.rpi.edu” this returns a entirely different list of variables, and sometimes more users.
    • If you are interested in researching this command more, die.net has a great resource. http://linux.die.net/man/1/ldapsearch
    • Troubleshooting: For those of you here at RPI trying to follow this guide specifically, if you do not get any results or a error connecting, RPI firewalls the LDAP servers heavily. I have found a lot of the time I have to be in the VCC to make this work, you can also VPN in, then your network connection is within the VCC and it will work. I have VPNed in, while on campus in the Union to get LDAP to work.

UPDATE: I added a little about what LDAP is

Advertisements

5 comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s