Merge pull request #346 from stuartcampbell/add-legacy-ad-ldap-support

Add support for Microsoft Active Directory in LDAP authentication
DiamondLightSource · Nov 23, 2023 · ac5f9d8 · ac5f9d8
2 parents 9d2d739 + 2c94541
commit ac5f9d8
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/api/config_sample.php b/api/config_sample.php
@@ -47,6 +47,13 @@
     # Update the ldap(s) prefix, hostname and search settings as required
     $ldap_server = 'ldaps://ldap.example.com';
     $ldap_search = 'ou=people,dc=example,dc=com';
+    # Specify the LDAP server type, can be either 
+    # "openldap" (default) or "activedirectory"
+    $ldap_server_type = "openldap";
+    # If using "activedirectory" then specify the legacy domain name.
+    # i.e. "MYDOMAIN" rather than "mydomain.com" 
+    # This will be prepended onto the username (e.g. MYDOMAIN\mylogin)
+    $active_directory_domain = "MYDOMAIN";
     $ldap_use_tls = false; # default - i.e. don't use secured LDAP connection
 
     # Upload directory

diff --git a/api/src/Authentication/Type/LDAP.php b/api/src/Authentication/Type/LDAP.php
@@ -24,7 +24,10 @@ function check()
 
     function authenticate($login, $password)
     {
-        global $ldap_server, $ldap_search, $ldap_use_tls;
+        global $ldap_server, $ldap_search, $ldap_use_tls, $ldap_server_type, $active_directory_domain;
+        if (!$ldap_server_type) {
+            $ldap_search_type = "openldap";
+        }
 
         $conn = ldap_connect($ldap_server);
 
@@ -39,14 +42,26 @@ function authenticate($login, $password)
             if ($ldap_use_tls) {
                 ldap_start_tls($conn);
             }
-
             try {
-                // testing with openldap indicates this call needs to use a correct
-                // DN syntax: "uid=<login>,ou=people,dc=example,dc=com"
-                return ldap_bind($conn, "uid=" . $login . "," . $ldap_search, $password);
+                if ($ldap_server_type == "activedirectory") {
+                    if (!$active_directory_domain) {
+                        error_log("'active_directory_domain' parameter is not defined.");
+                        error_log("\t This is required when LDAP server type is 'activedirectory'");
+                        return false;
+                    }
+                    $ldap_user = $active_directory_domain . "\\" . $login;
+                } else {
+                    // testing with openldap indicates this call needs to use a correct
+                    // DN syntax: "uid=<login>,ou=people,dc=example,dc=com"
+                    $ldap_user = "uid=" . $login . "," . $ldap_search;
+                }
+                return ldap_bind($conn, $ldap_user, $password);
 
                 // Couldn't bind
             } catch (\Exception $e) {
+                error_log("SynchWeb - LDAP Auth FAILURE for user $login");
+                error_log("\t" . $e->getMessage());
+                error_log("\tldap_error: " . ldap_error($conn) . "  (Err Code: " . ldap_errno($conn) . ")");
                 return false;
             }
         }