PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Common Options for Specific Servers

Options for Active Directory

For ADS, the following options are noteworthy:

Table 12. Options for Active Directory

Name Additional Notes
host As with all servers, this option is required.
useStartTls For the sake of security, this should be TRUE if the server has the necessary certificate installed.
useSsl Possibly used as an alternative to useStartTls (see above).
baseDn As with all servers, this option is required. By default AD places all user accounts under the Users container (e.g., CN=Users,DC=foo,DC=net), but the default is not common in larger organizations. Ask your AD administrator what the best DN for accounts for your application would be.
accountCanonicalForm You almost certainly want this to be 3 for backslash style names (e.g., FOO\alice), which are most familiar to Windows users. You should not use the unqualified form 2 (e.g., alice), as this may grant access to your application to users with the same username in other trusted domains (e.g., BAR\alice and FOO\alice will be treated as the same user). (See also note below.)
accountDomainName This is required with AD unless accountCanonicalForm 2 is used, which, again, is discouraged.
accountDomainNameShort The NetBIOS name of the domain that users are in and for which the AD server is an authority. This is required if the backslash style accountCanonicalForm is used.

Note

Technically there should be no danger of accidental cross-domain authentication with the current Zend_Auth_Adapter_Ldap implementation, since server domains are explicitly checked, but this may not be true of a future implementation that discovers the domain at runtime, or if an alternative adapter is used (e.g., Kerberos). In general, account name ambiguity is known to be the source of security issues, so always try to use qualified account names.

Options for OpenLDAP

For OpenLDAP or a generic LDAP server using a typical posixAccount style schema, the following options are noteworthy:

Table 13. Options for OpenLDAP

Name Additional Notes
host As with all servers, this option is required.
useStartTls For the sake of security, this should be TRUE if the server has the necessary certificate installed.
useSsl Possibly used as an alternative to useStartTls (see above).
username Required and must be a DN, as OpenLDAP requires that usernames be in DN form when performing a bind. Try to use an unprivileged account.
password The password corresponding to the username above, but this may be omitted if the LDAP server permits an anonymous binding to query user accounts.
bindRequiresDn Required and must be TRUE, as OpenLDAP requires that usernames be in DN form when performing a bind.
baseDn As with all servers, this option is required and indicates the DN under which all accounts being authenticated are located.
accountCanonicalForm Optional, but the default value is 4 (principal style names like alice@foo.net), which may not be ideal if your users are used to backslash style names (e.g., FOO\alice). For backslash style names use value 3.
accountDomainName Required unless you're using accountCanonicalForm 2, which is not recommended.
accountDomainNameShort If AD is not also being used, this value is not required. Otherwise, if accountCanonicalForm 3 is used, this option is required and should be a short name that corresponds adequately to the accountDomainName (e.g., if your accountDomainName is foo.net, a good accountDomainNameShort value might be FOO).

Zend Framework