Using LDAP

From DreamFactory
Jump to: navigation, search
(Tutorial)
 
Line 56: Line 56:
 
On the config form, you will need to provide all the details of your LDAP server and select a default role for your
 
On the config form, you will need to provide all the details of your LDAP server and select a default role for your
 
LDAP service. This role will be assigned (for all applications in the system) to all users signing in using this LDAP service.
 
LDAP service. This role will be assigned (for all applications in the system) to all users signing in using this LDAP service.
 +
 +
Be sure to set content-type to application/json in your headers.
  
 
[[File:Tutorial using ad 2.png|800px]]
 
[[File:Tutorial using ad 2.png|800px]]

Latest revision as of 22:00, 26 August 2019

About

resource ldap_connect ([ string $host = NULL [, int $port = 389 ]] )

Creates an LDAP link identifier and checks whether the given host and port are plausible. Note: This function does not open a connection. It checks whether the given parameters are plausible and can be used to open a connection as soon as one is needed.

Parameters

host
This field supports using a hostname or, with OpenLDAP 2.x.x and later, a full LDAP URI of the form ldap://hostname:port or ldaps://hostname:port for SSL encryption. You can also provide multiple LDAP-URIs separated by a space as one string Note that hostname:port is not a supported LDAP URI as the schema is missing.
port
The port to connect to. Not used when using LDAP URIs.

Return Values

Returns a positive LDAP link identifier when the provided hostname/port combination or LDAP URI seems plausible. It's a syntactic check of the provided parameters but the server(s) will not be contacted! If the syntactic check fails it returns FALSE. When OpenLDAP 2.x.x is used, ldap_connect() will always return a resource as it does not actually connect but just initializes the connecting parameters. The actual connect happens with the next calls to ldap_* funcs, usually with ldap_bind(). If no arguments are specified then the link identifier of the already opened link will be returned.

Connecting to LDAP server

Example #1
<?php

// LDAP variables $ldaphost = "ldap.example.com"; // your ldap servers $ldapport = 389; // your ldap server's port number

// Connecting to LDAP $ldapconn = ldap_connect($ldaphost, $ldapport)

         or die("Could not connect to $ldaphost");

?>

Example #2
<?php

// make sure your host is the correct one // that you issued your secure certificate to $ldaphost = "ldaps://ldap.example.com/";

// Connecting to LDAP $ldapconn = ldap_connect($ldaphost)

         or die("Could not connect to {$ldaphost}");

?>

Tutorial

To use LDAP authentication in a DreamFactory Instance, you must have the PHP LDAP extension enabled. In APT the package is `php5-ldap`, in Yum it's `php-ldap`, and in Windows Bitnami instances it's provided as `php_ldap.dll`.

You can then provision an LDAP service from the 'Services' tab in Admin Console. Click on the 'Create' button on the services tab to create a new service. Select 'LDAP Integration' from the 'Service Type' drop down menu. For the name field use a short, meaningful, one word name for your service. This will be used as your LDAP service identifier. Fill out rest of the information on this form and then go to the 'Config' tab.

Tutorial using ldap 1.png

On the config form, you will need to provide all the details of your LDAP server and select a default role for your LDAP service. This role will be assigned (for all applications in the system) to all users signing in using this LDAP service.

Be sure to set content-type to application/json in your headers.

Tutorial using ad 2.png

API Endpoint

POST https://your-url/api/v2/user/session?service={ldap_service_name}
{
    "username" : "user_name",
    "password" : "password"
}

-- OR --

POST https://your-url/api/v2/user/session
{
    "username" : "user_name",
    "password" : "password",
    "service"  : "ldap_service_name"
}

Example - Sign-in using LDAP Authentication

  • LDAP service name: demo
  • Request URL:
    POST https://your-url/api/v2/user/session?service=demo
{
   "username" : "user_name",
   "password" : "password"
}
  • Response:
{
    "session_token": “abc.123abc.efg,
    "session_id": “abc.123abc.efg,
    "id": 1,
    "name": "John",
    "first_name": "John",
    "last_name": "Doe",
    "email": "[email protected]",
    "is_sys_admin": false,
    "last_login_date": "2015-06-30 16:46:59",
    "host": "your-url"
}

See Also

ldap_bind() - Bind to LDAP directory

To be able to make modifications to Active Directory via the LDAP connector you must bind to the LDAP service over SSL. Otherwise Active Directory provides a mostly readonly connection. You cannot add objects or modify certain properties without LDAPS, e.g. passwords can only be changed using LDAPS connections to Active Directory.

Therefore, for those wishing to securely connect to Active Directory, from a Unix host using PHP+OpenLDAP+OpenSSL I spent some time getting this going myself, and came across a few gotcha's. Hope this proves fruitfull for others like me when you couldn't find answers out there.

Make sure you compile OpenLDAP with OpenSSL support, and that you compile PHP with OpenLDAP and OpenSSL.

This provides PHP with what it needs to make use of ldaps:// connections.

Configure OpenSSL:

Extract your Root CA certificate from Active Directory, this is achived through the use of Certificate Services, a startard component of Windows 2000 Server, but may not be installed by default, (The usual Add/Remove Software method will work here). I extracted this in Base64 not DER format. Place the extracted CAcert into the certs folder for openssl. (e.g. /usr/local/ssl/certs) and setup the hashed symlinks. This is easily done by simply running:

 /usr/local/ssl/bin/c_rehash

Once this is done you can test it is worked by running:

 /usr/local/ssl/bin/openssl verify -verbose -CApath /usr/local/ssl/certs /tmp/exported_cacert.pem

(Should return: OK).

Configure OpenLDAP:

Add the following to your ldap.conf file. (found as /usr/local/openldap/etc/openldap/ldap.conf)

 #--begin--
 # Instruct client to NOT request a server's cert.
 TLS_REQCERT never
 # Define location of CA Cert
 TLS_CACERT /usr/local/ssl/certs/AD_CA_CERT.pem
 TLS_CACERTDIR /usr/local/ssl/certs
 #--end--

You also need to place those same settings in a file within the Apache Web user homedir called .ldaprc

 e.g.:
 
 cp /usr/local/openldap/etc/openldap/ldap.conf ~www/.ldaprc )

You can then test that you're able to establish a LDAPS connection to Active Directory from the OpenLDAP command tools:

 /usr/local/openldap/bin/ldapsearch -H "ldaps://adserver.ad.com"

This should return some output in extended LDIF format and will indicate no matching objects, but it proves the connection works. The name of the server you're connecting to is important. If they server name you specify in the "ldaps://" URI does not match the name of the server in it's certificate, it will complain like so:

 ldap_bind: Can't contact LDAP server (81)
       additional info: TLS: hostname does not match CN in peer certificate

Once you've gotten the ldapsearch tool working correctly PHP should work also.

One important gotcha however is that the Web user must be able to locate it's HOME folder. You must check that Apache is providing a HOME variable set to the Web users home directory, so that php can locate the .ldaprc file and the settings contained within. This may well be different between Unix variants but it is such a simple and stupid thing if you miss it and it causes you grief. Simply use a SetEnv directive in Apache's httpd.conf:

 SetEnv HOME /usr/local/www

With all that done, you can now code up a simple connect function:

 function connect_AD()
 {
   $ldap_server = "ldaps://adserver.ad.com" ;
   $ldap_user   = "CN=web service account,OU=Service Accounts,DC=ad,DC=com" ;
   $ldap_pass   = "password" ;
   $ad = ldap_connect($ldap_server) ;
   ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) ;
   $bound = ldap_bind($ad, $ldap_user, $ldap_pass);
   return $ad ;
 }

Optionally you can avoid the URI style server string and use something like ldap_connect("adserver.ad.com", 636) ; But work fine with Active Directory servers.