Issues

ZF-994: New Zend_Auth LDAP adapter

Description

In response to interest in an LDAP adapter for authentication, this issue is created to track the adapter development.

Contributions from the community are most welcome!

Comments

Hello Darby,

I would really appreciate to contribute to this topic. However, I only have a few hours a week to work on it. So it may be not ready for 0.9

I'll need some help on the process ( svn, incubator, etc) as this is my first contribution (I use to do translations)

Vincent

Hi Vincent,

It's fine that this may not be ready for 0.9.0; it could be released in a later version after 1.0.0, but it's not too early to get started. I suspect that scope creep will be an issue with this adapter, and probably we'll find that we need a proposal for it. In the meantime, however, we can use this JIRA issue to track whatever discoveries are made.

As a bonus, nearly any formatting you might use herein would also be transferable to the proposal, since it supports the same wiki format.

Hi Darby, and the others

I finally started the draft proposal for Zend_Auth_LDAP

The idea is very simple : take the login and password provided by the user (login form), and use them to connect the the LDAP server. If needed, concat the username (myusername) with the domain name (\mydomain => \mydomain\myusername).

If the connection succeeds, then this is because the user/password match those of the LDAP directory. Else, we have a problem...

We use this for ages against various Active Directory servers for intranets and extranets. This works very well and is reliable. However, wrong authentication with the same login will lock the windows account in the same way the windows account can be locked from a windows station. So, if some nasty boy tries to figure out the password of their friend, and if they make 3 successive errors, the login of their friend will be locked. The unlock procedure is to be defined inside the Active Directory. At some places, the account is always unlocked after a hour, in some other places we need a manual unlock...

I never tested this solution agains another LDAP server. If someone has more exeprience on OpenLDAP or others, please tell me.

The ldap Auth will only return a true/false, and will NOT fetch more information about he user from the LDAP directory. This may be the work of the Zend_LDAP.

Vincent

Maybe we should change the name to be Zend_Auth_Adapter_LDAP, so as to match the exsting Zend_Auth_Adapter_HTTP...

Hi,

I finally have something that (should) work and I'd like the opinion of users.

I added all phpdoc comments I could. I also let many comments into the source code so as to help for a code revue.

Don't hesitate to give me your comments. I know the code is not perfect, but the functionality seem to be ok.

vincent

Ldap.php

This the first release of the Zend_Auth_Adapter_Ldap. Download the file and paste into /Zend/Auth/Adapter/

A code sample is into the source file PHPDocs

enjoy! vincent

We now have two proposals under construction for this component:

http://framework.zend.com/wiki/display/… http://framework.zend.com/wiki/display/…

We must move a proposal forward for this- either one of these or a new one. Currently, the Zend team would prefer for this to be largely community-driven, since the community has given it relatively significant time, thought, and interest. If you have a proposal that is currently under construction or you'd like to submit a new one, please notify Darby Felton (the Zend team liason for this project) so that we can get this on the map for the next release.

Darby will be driving this effort for inclusion in 1.1.

Planning to drive this proposal by [~miallen].

To all readers - this means you - please review the new proposal and post comments with feedback there. ;)

Zend_Auth_Adapter_Ldap by Michael B Allen