Zendx_Auth_Adapter_Ldap

Hello Zend_Auth List,

Clearly Zend Framework is in need of an LDAP authentication adapter. I
have a strong background doing this sort of thing so I thought I would
whip one up. The zf-ldap package may be obtained here:

  http://www.ioplex.com/code/

The code should be considered beta but I have tested it fairly well
with OpenLDAP and Microsoft Active Directory and I expect it to
perform well.

In the following weeks I will look into the ZF proposal process in
anticipation of submitting this adapter for inclusion into Zend
Framework as a standard package.

Inlined below is the README.txt from the package. It doesn't describe
some of the more advanced features like username canonicalization but
I will document things properly in time.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

--8<-- README.txt --8<--

zf-ldap-0.1.0

This package contains an LDAP authentication adapter for Zend Framework.

The LDAP adapter consists of three classes. The Zendx prefix serves to
isolate the code until it is determined whether or not the adapter
will be accepted into ZF.

The Zendx_Auth_Adapter_Ldap class is the bulk of the adapter code.

The Zendx_Auth_Adapter_AdsLdap class extends Zend_Auth_Adapter_Ldap
and is optimized for Microsoft Active Directory Server. Specifically,
it eliminates the user DN "probe" lookup and supports username
canonicalization.

Zendx_Auth_Adapter_LdapException is just an exception class (but it
actually contains some code).

This package is also a stand alone application that uses
Zend_Controller to provide a simple login form and an index page that
prints the user's identity.

INSTALLATION
------------

Just add the library/Zendx directory to your path (or move it into
your app's library directory).

To run the demo, export the html directory and adjust html/.htaccess
as necessary. See the Zend_Controller documentation for details
regarding setting up and running a Zend_Controller app.

USAGE
-----

To get started quickly, just copy the
application/controllers/UserController.php code. Your code should
looks something like the following:

  $auth = Zend_Auth::getInstance();

  require_once 'Zendx/Auth/Adapter/Ldap.php';
  $adapter = new Zendx_Auth_Adapter_Ldap();
  $adapter->setLogPath('/tmp/ldap.log')
          ->setHost('s0.foo.net')
          ->setProbeUsername('CN=user1,DC=foo,DC=net')
          ->setProbePassword('pass1')
          ->setBaseDn('OU=Sales,DC=foo,DC=net')
          ->setUsername($username)
          ->setPassword($password);

  $result = $auth->authenticate($adapter);

  if (!$result->isValid()) {
      // FAILURE
      // Send user back to login form
      $controller_name = $this->getRequest()->getControllerName();
      
$this->_helper->redirector->gotoUrl("$controller_name/index/username/$username");
  } else {
      // SUCCESS
      $this->_redirect('/');
  }

If you're using Microsoft Active Directory Server, use the AdsLdap
class instead. The initialization part is a little different:

  require_once 'Zendx/Auth/Adapter/AdsLdap.php';
  $adapter = new Zendx_Auth_Adapter_AdsLdap();
  $adapter->setLogPath('/tmp/ldap.log')
          ->setHost('dc1.w.net')
          ->setBaseDn('CN=Users,DC=w,DC=net')
          ->addDomain('w.net', 'W')
          ->setUsername($username)
          ->setPassword($password);

API
---

Most of the initialization methods return $this so that methods may be
chained (as shown above).

setHost($host)
required
Sets the LDAP server hostname or IP address.

setPort($port)
default is 389
Sets the LDAP server port

LDAP servers (other than ADS) require usernames in simple binds to be
in DN form like CN=Alice Baker,OU=Sales,DC=foo,DC=net. Therefore, the
adapter must "probe" the directory to lookup the DN of the user with
the supplied username. The setProbeUsername and setProbePassword
methods set the credentials of the account used to perform these
lookups. The account does not need to be privileged. Lowly read-only
credentials will do.

setProbeUsername($probeUsername)
required (but not by Zendx_Auth_Adapter_AdsLdap)

setProbePassword($probePassword)
required (but not by Zendx_Auth_Adapter_AdsLdap)

setBaseDn($baseDn)
required
Sets the LDAP path under which user accounts reside. This will be used
when searching for accounts being authenticated.

addDomain($dnsRoot, $nETBIOSName)
required
This is a Zendx_Auth_Adapter_AdsLdap method. The DNS / NetBIOS name
mapping is used to canonicalize usernames which allows bypassing the
user DN "probe" lookup as well as normalizing usernames returned by
Zend_Auth::getIdentity(). The default name form returned by
getIdentity() is NetBIOSName\sAMAccountName (e.g. ACME\abaker).

The credentials being authenticated are set with the setUsername and
setPassword methods.

setUsername($username)
required

setPassword($password)
required

setSearchFilterFormat($searchFilterFormat)
defaults is (&(objectClass=posixAccount)(uid=%s))
This sets an sprintf format string used to build the LDAP search
filter for searching accounts. The format string must have one %s
format specifier to accomodate the username. It should only be
necessary to change this setting when using a custom schema. The
Zendx_Auth_Adapter_AdsLdap class overloads getSearchFilter to return
the product of (&(objectClass=user)(sAMAccountName=%s)) instead.

setLogPath($logPath)
default is /tmp/ldap.log
Sets the path of a log file into which Zend_Log messages will be sent.
To set your own logger do Zend_Registry::set('ldap_logger', $logger)
or overload the getLogger and log methods.