Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...

When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store


To incorporate Zend_Auth_Adapter_Ldap authentication into your application quickly, even if you're not using Zend_Controller, the meat of your code should look something like the following:

$password $this->_request->getParam('password');

$auth Zend_Auth::getInstance();

$config = new Zend_Config_Ini('../application/config/config.ini',
$log_path $config->ldap->log_path;
$options $config->ldap->toArray();

$adapter = new Zend_Auth_Adapter_Ldap($options$username,

$result $auth->authenticate($adapter);

if (
$log_path) {
$messages $result->getMessages();

$logger = new Zend_Log();
$logger->addWriter(new Zend_Log_Writer_Stream($log_path));
$filter = new Zend_Log_Filter_Priority(Zend_Log::DEBUG);

    foreach (
$messages as $i => $message) {
        if (
$i-- > 1) { // $messages[2] and up are log messages
$message str_replace("\n""\n  "$message);
$logger->log("Ldap: $i$message"Zend_Log::DEBUG);

Of course, the logging code is optional, but it is highly recommended that you use a logger. Zend_Auth_Adapter_Ldap will record just about every bit of information anyone could want in $messages (more below), which is a nice feature in itself for something that has a history of being notoriously difficult to debug.

The Zend_Config_Ini code is used above to load the adapter options. It is also optional. A regular array would work equally well. The following is an example application/config/config.ini file that has options for two separate servers. With multiple sets of server options the adapter will try each, in order, until the credentials are successfully authenticated. The names of the servers (e.g., 'server1' and 'server2') are largely arbitrary. For details regarding the options array, see the Server Options section below. Note that Zend_Config_Ini requires that any values with "equals" characters (=) will need to be quoted (like the DNs shown below).


ldap.log_path = /tmp/ldap.log

; Typical options for OpenLDAP =
ldap.server1.accountDomainName =
ldap.server1.accountDomainNameShort = FOO
ldap.server1.accountCanonicalForm = 3
ldap.server1.username = "CN=user1,DC=foo,DC=net"
ldap.server1.password = pass1
ldap.server1.baseDn = "OU=Sales,DC=foo,DC=net"
ldap.server1.bindRequiresDn = true

; Typical options for Active Directory =
ldap.server2.useStartTls = true
ldap.server2.accountDomainName =
ldap.server2.accountDomainNameShort = W
ldap.server2.accountCanonicalForm = 3
ldap.server2.baseDn = "CN=Users,DC=w,DC=net"

The above configuration will instruct Zend_Auth_Adapter_Ldap to attempt to authenticate users with the OpenLDAP server first. If the authentication fails for any reason, the AD server will be tried.

With servers in different domains, this configuration illustrates multi-domain authentication. You can also have multiple servers in the same domain to provide redundancy.

Note that in this case, even though OpenLDAP has no need for the short NetBIOS style domain name used by Windows, we provide it here for name canonicalization purposes (described in the Username Canonicalization section below).

Zend Framework