Skip to content
nocash edited this page Sep 13, 2010 · 4 revisions

The aim of this document is to provide a quick, fairly high-level overview of the AD/LDAP module for Kohana.

And while I have your attention, note that all of the actual interaction with the LDAP server is handled by the adLDAP PHP library, which was not written by me. It is, however, included in the vendor/adLDAP. I’m pretty sure I’m allowed to do that provided I don’t try to pass it off as my own.

Overview

The AD/LDAP module built for use with Kohana is a small collection of libraries (tools? classes?) designed to simplify interaction with an LDAP server.

The libraries in the module can be divided into four groups.

  1. The third-party adLDAP library and a wrapper (KadLDAP) to “Kohanify” it.
  2. The ‘SimpleLDAPResult’ library, designed to simplify interacting with results returned when querying the LDAP server (but which probably doesn’t even work because I haven’t used it all that much yet).
  3. An LDAP driver for use with the Kohana Auth module. This includes an extension containing a minor change to the Auth module’s Auth library. Pretty awesome, overall.
  4. Models for select LDAP objects/resources to simplify interactions (i.e. users and groups).

adLDAP and KadLDAP

The third-party adLDAP library does most of the heavy lifting when it comes to interacting with the LDAP server. The KadLDAP wrapper was created to allow for a more Kohana-esque interaction with the library. It pulls configuration options for adLDAP from a config file and passes them along and can be used as a singleton (or not). Most methods sent to KadLDAP are simply forwarded to the adLDAP library and the result returned as normal. This allows for a point of interception should methods of the adLDAP library need to be modified or replaced (e.g. the user_info method. It normally throws an error if the requested user doesn’t exist, but I thought that was a bit heavy-handed so I suppressed it).

Usage Examples

Get Petey Billson’s user information:

$user_info = KadLDAP::instance()->user_info('pbillson');

…or…

$ldap = new KadLDAP();
$user_info = $ldap->user_info('pbillson');

SimpleLDAPResult

This part of the module is still in development and has not been fully tested. It may not work correctly or, in some cases, not work at all.

The SimpleLDAPResult library is a result wrapper modeled after PHP’s built-in SimpleXMLElement. It’s designed to simplify working with the otherwise bulky arrays returned from LDAP queries by providing a simpler, object-based interface.

This library implements PHP’s Iterator, ArrayAccess and Countable interfaces to make accessing the data as easy as possible.

Usage Examples

Wrapping an LDAP result:

$user_info = KadLDAP::instance()->user_info('pbillson');
$user_info = SimpleLDAPResult($user_info);
echo $user_info->samaccountname;

For comparison, doing the same thing as above without using SimpleLDAPResult would look like this:

$user_info = KadLDAP::instance()->user_info('pbillson');
echo $user_info['0']['samaccountname']['0'];

LDAP Auth Extension

The AD/LDAP module also adds a driver for Kohana’s Auth module. If you want to use them, change the driver setting in your auth.php config file to ‘LDAP’. Usernames and passwords will then be checked against the LDAP server.

By default, the Auth library salts password before passing them through to the driver. This shouldn’t happen when using LDAP, so an Auth library extension is also included in the AD/LDAP module to override this functionality when the LDAP driver is specified.

If anyone knows of a way to get the password through the Auth library without needing to extend the core, I’d love to hear it.

LDAP Models

These are a few models to assist when working with users and groups. They create a simplified interface for working with information from the LDAP server, in addition to providing some additional useful methods. Specifically, you can use these models to check if a user belongs to a certain group or if a group is a subgroup of another group.

Usage Examples

Getting the currently logged in using the Auth module (using the LDAP driver):

$username = Auth::instance()->get_user();
$user = LDAP_User_Model::factory($username);
echo $user->displayname;

Check that a user is a member of the Danger Rangers group:

LDAP_User_Model::factory('pbillson')->is_member_of('Danger-Rangers'); // TRUE or FALSE

…or…

$group = LDAP_Group_Model::factory('Danger-Rangers');
LDAP_User_Model::factory('pbillson')->is_member_of($group);

…or…

LDAP_Group_model::factory('Danger-Rangers')->has_member('pbillson');

…etc.

Addition Notes and Information

This module was the result of the first time I’ve had to interact with LDAP-based authentication. Hopefully it works for you, but I really have no idea what to expect. I mean, it works for me and all, but that’s just me using my own code on a single LDAP configuration. Not the most extensive form of testing.

Update 2010.02.18: Sadly, the project I was working on that required this library got scrapped (a while ago, actually). Since I don’t really have a reason or way to work with LDAP anymore, this project is going to be gathering a lot of dust. I’ll leave it here should anyone want to fork it or use it for reference or whatever usefulness can come of it.