Authenticate PHP Apps Against an Active Directory

BANGALORE, INDIA: A directory service like Active Directory in Windows is used to store users' information (name, address, e-mail, phone etc.) in a centralized location. Besides being used as directory, Active Directory is used for authentication in a network.

This means Active Directory can store login credentials (username and password) of users to allow them access applications and network resources. All applications will look up the directory service to validate the login credentials as opposed to storing the credentials in their own store (like their own databases). If a user wants to change his password, he only needs to change it at one place -at the Active Directory. Subsequently, he would be able to log on to all the applications with his new password.

Windows and Windows applications can easily integrate for Active Directory, after all Active Directory is the de facto directory services on Windows. What about an application developed in open source technology ? What about open source products ?

PHP is undoubtedly one of the most popular open source language for developing web applications. What if, you are writing a new PHP application for your organization and want that application to authenticate against an existing Active Directory server? The answer is to use a PHP library of functions called adLDAP (as explained later).

Next, numerous open source web applications (like blogs, content management systems) and enterprise applications (like CRM and mailing lists) have been written in PHP. In this article, we explain how to configure the following PHP based open source applications to authenticate against an Active Directory:

SugarCRM
(www.sugarcrm.com): A customer relationship management (CRM) system

Joomla
(www.joomla.org): A content management system

Wordpress
(www.wordpress.org): A blogging platform

phpBB
(www.phpbb.com): A web based discussion forum

PHPlist
(www.phplist.com): A newsletter/mailing list system

Active Directory setup
For this article, we used Windows Server 2008 and had setup pcqlinux.net as the domain. Assuming that you have already installed and setup Active Directory, let's create a user called 'Shekhar Govindarajan' in the directory. Click on Start>Administrative Tools>Active Directory Users and Computers. Right click on Users, under the domain, and select New>User. Type in the following details:

First name: Shekhar
Last name: Govindarajan
User logon name: shekhar.govindarajan

Click on 'Next' and type in the password as pass@word2. Uncheck the box 'User must change password at next logon'. Click on 'Next' and then on 'Finish'. Right click on the newly created user (found in the right pane) and select properties. Under the General tab, type in shekhar. govindarajan@pcqlinux.net for Email. You may like to substitute all the above mentioned details with your own. Next we configure each of the above mentioned open source products. Note that almost all these products can be installed on Windows too but that is not required for the authentication. That is, you can deploy these products on Linux and they can authenticate with an Active Directory on Windows. Also note that in many cases we would require the credentials of an Active Directory account who can bind and search through the directory. We will be using the Administrator account with the password as pass@word1 for this purpose. In real world deployment, you must not use the Administrator account but create a low privilege account for this purpose.

Authenticate your custom PHP app
Using adLDAP, you can authenticate any custom or home made application against an Active Directory. Download adLDAP from http://adldap.sourceforge. net and extract the archive. You will find a file named adLDAP.php. Open this file in a text editor and make the following changes (as per the Active Directory setup):

var $_account_suffix="@pcqlinux.net";
var $_base_dn = "CN=Users,DC=pcqlinux,DC=net";
var $_domain_controllers = array ("ad.pcqlinux.net");

Note that for $_domain_ controllers you will need to specify the IP address or the hostname (ad.pcqlinux.net in our case) of the Active Directory. Save the file. Now in the login page (say login.php) of your PHP application include the above file as:

include(?adLDAP.php?);

Next with the following code you can authenticate with the Active Directory:

function authenticateWithAd($username,$password)
{
$adLDAP = new adLDAP();
$auth = $adLDAP->authenticate($username,$password);
return $auth;
}

The function will return a 'true' if the authentication succeeds and a 'false', otherwise. Next we look at configuring existing open source products for Active Directory authentication. Many have built-in capability. Others require plugins or code modifications. We assume your familiarity with the product(s) and will be explaining only the authentication part.

SugarCRM
For this article we used SugraCRM version 5.2.0a. After installing SugarCRM, login as admin. Click on the Admin link on the top right. Under Users>User Management>Create New User, create a new user with the details:

First Name: Shekhar
Last Name: Govindarajan
User Name: shekhar.govindarajan
Password: secret
Confirm Password: secret
Status: Active

Note that it is important to use the logon name in Active Directory as the User Name in SugarCRM. The other details can be different. The password you supply here is the SugarCRM password. SugarCRM will try to authenticate the user against the Active Directory as well as this password. If either match, the user is allowed to log in. Typically, you may like to give the users, only the Active Directory password and set the SugarCRM password to something that is known only to you, so that it can be used a fallback during occasions, like when the directory service is down. Next, we will need to tell SugarCRM about our Active Directory. For this click on Admin (top right link). Click on System Settings. Under 'LDAP Authentication Support', check 'Enable LDAP' and then fill in the following details:

Server: ad.pcqlinux.net
Port Number: 389
Base DN: CN=Users,DC=pcqlinux,DC=net
Bind Attribute: userPrincipalName
Login Attribute: sAMAccountName
Authenticated User: CN=Administrator,CN=Users,DC=pcqlinux,DC=net
Authenticated Password: pass@word1

Note that for Server you will need to specify the IP address or the hostname (ad.pcqlinux.net in our case) of the Active Directory. Click on 'Save'. Log out and try login as shekhar.govindarajan with the password as pass@word2 ? the Active Directory password for Shekhar.

Joomla
For this article we used Joomla version 1.5.9. After installing Joomla, login as admin in the Joomla Administration Login. Click on Site>User Manager. Click on 'New'. Type in the following details:

Name: Shekhar Govindarajan
Username: shekhar.govindarajan
E-mail: shekhar.govindarajan@pcqlinux.net
Group: Public Back-end - Manager

Note the the Username must match the logon name of Active Directory. If you want this user to login only using his active directory password you can leave the password fields blank, else the user can login using his Joomla password too. Next, Click on Extensions> Plugin Manager. Click on the plugin named 'Authentication ? LDAP'. On the left, select 'Yes' for Enabled. On the right, under Parameters, type in the following:

Host: ad.pcqlinux.net
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorisation Method: Bind and Search
Base DN: CN=Users,DC=pcqlinux,DC=net
Search String: sAMAccountName=

Note that for Host you will need to specify the IP address or the hostname (ad.pcqlinux.net in our case) of the Active Directory. Leave the other fields to their default. Click on 'Save'.

Wordpress
For this article we used Wordpress version 2.7.1. To authenticate Wordpress users with Active Directory you will need to download a Wordpress plugin called 'Simple LDAP Login'. The plugin can be downloaded from the URL http://downloads.wordpress.org/plugin/simple-ldap-login.1.2.zip. Unzip the downloaded file in the directory wp-content/plugins directory.
Next, log into Wordpress as admin. First, we will need to activate the 'Simple LDAP Login' plugin. For this, click on the Plugins menu on the left. Click on the Activate link besides the 'Simple LDAP Login' plugin. Next, click on Settings>?Simple LDAP Login? on the left. Type in the following:

Account Suffix: @pcqlinux.net
Base DN: CN=Users,DC=pcqlinux,DC=net
Domain Controller(s): ad.pcqlinux.net

Here the account suffix matches the domain in the 'User logon name' specified in the Active Directory. Finally, you will need to create Wordpress users whose usernames match the Active Directory logon names. Similar to SugarCRM and Joomla, this setup allows users to login using either their Active Directory password or the Wordpress password (specified while creating the Wordpress user).

phpBB
In case of phpBB (3.0.4), unlike the above products, the users can be authenticated only against one source ? either the Active Directory or the phpBB database. For this reason, while phpBB installation, the username of the admin user must match with the logon name of a Active Directory user. So if you opt for the username as admin, do not forget to create a user named admin in the Active Directory. After installation, login to the ACP (Administration Control Panel). Under 'Client Configuration' click on Authentication and fill in the following:

Select an authentication method: Ldap
LDAP server name: ad.pcqlinux.net
LDAP base dn: CN=User,DC=pcqlinux,DC=net
LDAP uid: sAMAccountName
LDAP user filder:
LDAP e-mail attribute: mail
LDAP user dn: CN=Administrator,CN=Users,DC=pcqlinux,DC=net
LDAP password: pass@word1

Click on submit.

phpList
For phpList we will use the adLDAP library (see above). The Active Directory authentication can be used for the list admins. Create a list admin by following 'Main page'>admins (under Administrator functions). Click on add new admin. For the username type in the Active Directory logon name (i.e. shekhar.govindarajan in our case). Setup other parameters as per your case.
Next, we will modify the phpList code in such a way that besides admin (the default list admin) all other list admins will be authenticated against the Active Directory. Assuming that you have already modified adLDAP.php file as explained above, copy this file to the subdirectory lists/admin of phpList. Next open the file named phplist_auth.inc, found in lists/admin /auth, in a text editor add the following line after

require_once dirname(__FILE__).'/../adLDAP.php';

Modify function validateLogin($login,$password) function, so that it looks as follows:

function validateLogin($login,$password) {
$adldap = new adLDAP();
$admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id from %s where loginname = "%s"',$GLOBALS<"tables"><"admin">,$login));
if ($admindata<"disabled">) {
return array(0,"your account has been disabled");
} elseif ($admindata<0> && (($login=="admin" && $admindata<0> == $password) || $adldap->authenticate($login,$password)) && strlen($admindata<0>) > 3) {
return array($admindata<"id">,"OK");
} else {
return array(0,"invalid password");
}
return array(0,"Login failed");
}

Save the file. From now on, non 'admin' users will be authenticated against the Active Directory.

Take home
Last year with PCQLinux 2008 (bundled with the March 2008 issue of PCQuest) we had the appliances for CMS (Alfresco), web meeting (Webhuddle) and Messaging (Zimbra) authenticating against LDAP-based Fedora Directory Services. This time, in this article we looked at how to authenticate our own PHP applications with Active Directory.

We picked up popular open source, PHP-based products for CRM, CMS, Blog and discussion forums, and configured them to authenticate against Windows 2007 Active Directory. We went to the extent of modifying the code of an open source product (thanks to it being open source) for Active Directory authentication. We hope that we have given you enough meat to meet the central authentication nirvana with open source platform.