To incorporate Zend_Auth_Adapter_Ldap authentication into your
application quickly, even if you're not using Zend_Controller,
the meat of your code should look something like the following:
<?php
$username = $this->_request->getParam('username');
$password = $this->_request->getParam('password');
$auth = Zend_Auth::getInstance();
$config = new Zend_Config_Ini('../application/config/config.ini',
'production');
$log_path = $config->ldap->log_path;
$options = $config->ldap->toArray();
unset($options['log_path']);
$adapter = new Zend_Auth_Adapter_Ldap($options, $username,
$password);
$result = $auth->authenticate($adapter);
if ($log_path) {
$messages = $result->getMessages();
$logger = new Zend_Log();
$logger->addWriter(new Zend_Log_Writer_Stream($log_path));
$filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);
$logger->addFilter($filter);
foreach ($messages as $i => $message) {
if ($i-- > 1) { // $messages[2] and up are log messages
$message = str_replace("\n", "\n ", $message);
$logger->log("Ldap: $i: $message", Zend_Log::DEBUG);
}
}
}
Of course, the logging code is optional, but it is highly recommended that you use a
logger. Zend_Auth_Adapter_Ldap will record just about every bit
of information anyone could want in $messages (more below), which is
a nice feature in itself for something that has a history of being notoriously difficult
to debug.
The Zend_Config_Ini code is used above to load the adapter
options. It is also optional. A regular array would work equally well. The following is
an example application/config/config.ini file that has options for
two separate servers. With multiple sets of server options the adapter will try each, in
order, until the credentials are successfully authenticated. The names of the servers
(e.g., 'server1' and 'server2') are largely arbitrary. For details regarding the options
array, see the Server Options section below. Note that
Zend_Config_Ini requires that any values with "equals" characters
(=) will need to be quoted (like the DNs shown below).
[production] ldap.log_path = /tmp/ldap.log ; Typical options for OpenLDAP ldap.server1.host = s0.foo.net ldap.server1.accountDomainName = foo.net ldap.server1.accountDomainNameShort = FOO ldap.server1.accountCanonicalForm = 3 ldap.server1.username = "CN=user1,DC=foo,DC=net" ldap.server1.password = pass1 ldap.server1.baseDn = "OU=Sales,DC=foo,DC=net" ldap.server1.bindRequiresDn = true ; Typical options for Active Directory ldap.server2.host = dc1.w.net ldap.server2.useStartTls = true ldap.server2.accountDomainName = w.net ldap.server2.accountDomainNameShort = W ldap.server2.accountCanonicalForm = 3 ldap.server2.baseDn = "CN=Users,DC=w,DC=net"
The above configuration will instruct Zend_Auth_Adapter_Ldap to
attempt to authenticate users with the OpenLDAP server s0.foo.net
first. If the authentication fails for any reason, the AD server
dc1.w.net will be tried.
With servers in different domains, this configuration illustrates multi-domain authentication. You can also have multiple servers in the same domain to provide redundancy.
Note that in this case, even though OpenLDAP has no need for the short NetBIOS style domain name used by Windows, we provide it here for name canonicalization purposes (described in the Username Canonicalization section below).