0

We have gotten a request to synchronize the passwords for a SaaS app our company produces with Active Directory for a customer.

I have straight up never even touched AD, so I have no idea where to even begin, or if it's possible.

The App is laravel 5.2 + php5.6 and not running on Azure.

Any guidance would be extremely appreciated. Please ask if you need more information, I don't even have much of an idea of what would be relevant to know here.

Thanks for anything you can give me in advance, guys.

DeadlyBacon
  • 531
  • 4
  • 17

1 Answers1

1

There is no way to read anyone's password from Active Directoy, so you cannot "synchronize" passwords.

However, you could just authenticate against AD (when someone tries to log into your app, your app sends their username and password to AD to verify). There is an answer for how to do that here, but it's literally just this:

$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}

Where ldap.example.com will be the AD domain name. The default is port 389, so that communication has to be allowed by firewall. If they want the traffic to be encrypted via SSL (LDAPS), then it would be over port 636 and you have to specify that:

$ldap = ldap_connect("ldap.example.com", 636);

And you would need to trust their certificate. Details on that in the comments of the documentation for ldap_connect.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • This is it. Extra question: what date does $bind get you? – DeadlyBacon Nov 19 '19 at 09:48
  • 1
    The [documentation for `ldap_bind`](https://www.php.net/manual/en/function.ldap-bind.php#refsect1-function.ldap-bind-returnvalues) says it just returns `TRUE` or `FALSE`, depending on if it succeeded, which is why you can use it in the `if` statement. So `$bind` will just be a boolean value. – Gabriel Luci Nov 19 '19 at 12:31