Struggling to understand LDAP authentication in CakePHP 5

Hi,

I’m struggling to understand user authentication in CakePHP 5 - in particular LDAP authentication (using Active Directory).

I can’t seem to find any documentation/examples for LDAP on CakePHP v5. I have the local user auth working as per the example in the Cake documentation, but don’t really understand what I need to get ldap auth implemented correctly.

I have ldap working on my current project using 3.8, but seems this will no longer work…Not being a full time dev and having a lot of time to spend on this between jobs is not helping things!

Any help appreciated in pointing me in the right direction!

The Authentication Plugin already has a LDAP Identifier present.

So all you really should need is to add the Identifier to your AuthenticationService:

    $service->loadIdentifier('Authentication.Ldap', [
        'fields' => [
           'username' => 'username',
           'password' => 'password'
        ],
        'host' => 'ldap.mydomain.com',
        'port' => '389',
        'bindDN' => function($username) {
                return 'uid='.$username.',DC=example,DC=com';
            },
        'options' => [LDAP_OPT_PROTOCOL_VERSION => 3]
    ]);

or something alike

Thanks for the reply and pointing me in the right direction.

I do actually have code in there now as MS CoPilot actually suggested something very similar (where nothing else made sense…) But it’s still not working - but I will try and spend some time on it soon and have a play with the code - at least I could see traffic going to the AD server at during login attempts - so fingers crossed it’s just sometime silly I’ve missed.

Cheers
Darren

You can also look into authentication/src/Identifier/LdapIdentifier.php at 3.x · cakephp/authentication · GitHub and authentication/src/Identifier/Ldap/ExtensionAdapter.php at 3.x · cakephp/authentication · GitHub if you want to adjust some code manually. Those just live inside your vendor/cakephp/authentication directory

Thanks Kevin, will take a look.

Just an update to say I finally got authentication working, thanks to the pointers above from Kevin - after some further debugging, I was able to work out what the problem was (basically username needed to be user@domain format).

So it turned out to be quite easy to get the authentication implemented in the end.

Just added this code to my Application.php file in the src directory under the Authentication.Form identifier.

    // Load Ldap identifier
    $authenticationService->loadIdentifier('Authentication.Ldap', [
        'host' => 'ldap://myservername',
        'port' => 389,
        'bindDN' => function($username) {
                return $username;
            },
        'baseDN' => 'OU=myusers,DC=mydomain,DC=co,DC=uk',
        'options' => [
            LDAP_OPT_PROTOCOL_VERSION => 3,
        ]
    ]);

Now to work out how to get group membership details for Authorisation purposes, which will no doubt be more fun!