Fork me on GitHub
adLDAP - LDAP authentication with PHP for Active Directory

SourceForge.net Logo

FAQ - Frequently Asked Questions

Q. Why do I keep getting "undefined function"?
A. You will need to compile LDAP support into PHP, check your apache installation.

Q. Why can I authenticate ok, but searching doesn't work?
A. There's an error in your Base DN. Generally if your account suffix is mydomain.local, your Base DN is the same, but broken up and prefixed with DC... eg. DC=mydomain,DC=local. As of adLDAP version 3.3 and higher if you do not specify a Base DN, adLDAP will automatically attempt to determine it for you

Q. Is there any way to query for all the users currently logged in?
A. The information isn't stored in Active Directory. It's part of the system information for a particular machine, and to get an indication of users logged in on any server in a domain, you need to use a management console to connect to every server in the domain. The information is pulled through a network management port. To find out if they're logged in, you'd need to write a script to replicate the function of the management console.

Q. My group queries are incorrect, why am I missing a group or getting double entries?
A. Active Directory does not return the primary group http://support.microsoft.com/?kbid=321360. Setting the option will resolve these correctly, but it's a hack and it's not a pretty one, so it will be resource intensive on large directories. It should be fine on smaller directories though. I personally set it to false and set the primary group to "Domain Users" on all our accounts.

Q. I've authenticated with the class, but why can people still download files?
A. The class does not restrict people from downloading files, you can authenticate with the example script and then download a text file from the same server without any hassels. You need to use sessions to control access to your PHP scripts.

Q. Can we use username/password of the currently logged on user to authenticate automatically?
A. Yes! mod_auth_ntlm_winbind will authenticate your user, and then you can snag their username with $_SERVER["REMOTE_USER"]. It only authenticates users though, there's no group control or user information etc. That being said, using mod_auth_ntlm_winbind and adLDAP *together* is pretty sexy. mod_auth_ntlm_winbind logs them in automatically, and you can use adLDAP for your more specific access controls. Read the section on seamless authentication for more information.

Q. Why am I getting poor performance with Windows 2003 Server?
A. There are some new timeout problems during negotiation (I think). An LDAP option has been set in version 1.2, and it has resolved this issue.

Q. Why do my group queries return every group except the primary group?
A. This behaviour is "a feature" in AD (yeah, go figure). The primary group is stored seperately to the other group memberships because it helps with replication. I've accounted for this in 1.1.

Q. Can I just upload version 4.0 over a version 3.0 copy
A. In short, no, version 4.0 is a complete re-write of the library. The only function that will function in the same way is the authenticate function, so if that's all you use then in theory yes however.

Copyright © 2006-2014 Scott Barnett, Richard Hyland. All rights reserved. Licensed under the LGPL.