ldap_bind - PHP code example

PHP Function LDAP_Bind

The LDAP library in PHP provides access to the Lightweight Directory Access Protocol (LDAP) for carrying out directory service-related tasks. The library is primarily responsible for connecting, binding to, and closing the LDAP server connection. It also provides functions for performing CRUD operations on directory entries. This article introduces php function ldap_bind, which is responsible for binding to an LDAP server with specified credentials.

In LDAP, users can be authenticated by passing a distinguished name and password in a simple bind operation. However, many implementations of LDAP-based authentication schemes fail to properly sanitize user-submitted data, resulting in web-based applications that allow an anonymous user to gain full privileges as an existing authorized user. This vulnerability is often exploited using a technique called LDAP spoofing.

To use the LDAP library, you must first compile PHP with LDAP support enabled. This is done by passing the --with-ldap flag when configuring PHP. You will also need to get and compile a set of LDAP client libraries, such as the University of Michigan ldap-3.3 package or Netscape Directory SDK 3.0.

Once you have compiled and installed the required libraries, you can begin coding with the LDAP library in PHP. Initially, you will need to connect to an LDAP server by calling the ldap_connect() function. This function returns a connection resource if successful. To do so, you must provide the LDAP server's URI, which can be in the format ldap://hostname:port or ldaps://hostname:port for SSL/TLS encryption.

ldap_bind example

namespace Symfony\Component\Ldap\Tests;

use PHPUnit\Framework\TestCase;

class LdapTestCase extends TestCase
{
    protected function getLdapConfig()
    {
        $h = @ldap_connect(getenv('LDAP_HOST'), getenv('LDAP_PORT'));
        @ldap_set_option($h, \LDAP_OPT_PROTOCOL_VERSION, 3);

        if (!$h || !@ldap_bind($h)) {
            $this->markTestSkipped('No server is listening on LDAP_HOST:LDAP_PORT');
        }

        ldap_unbind($h);

        return [
            'host' => getenv('LDAP_HOST'),
            'port' => getenv('LDAP_PORT'),
        ];
    }
}

/** * @param string $password WARNING: When the LDAP server allows unauthenticated binds, a blank $password will always be valid * * @return void */
    public function bind(string $dn = null, #[\SensitiveParameter] string $password = null)     {
        if (!$this->connection) {
            $this->connect();
        }

        if (false === @ldap_bind($this->connection, $dn, $password)) {
            $error = ldap_error($this->connection);
            switch (ldap_errno($this->connection)) {
                case self::LDAP_INVALID_CREDENTIALS:
                    throw new InvalidCredentialsException($error);
                case self::LDAP_TIMEOUT:
                    throw new ConnectionTimeoutException($error);
                case self::LDAP_ALREADY_EXISTS:
                    throw new AlreadyExistsException($error);
            }
            throw new ConnectionException($error);
        }