The Blog

Zend_Auth and Active Directory

I just worked on a login application that connects to Active Directory using Zend_Auth and Zend_Auth_Adapter_Ldap. The application uses the Zend Framework and components of Zend_Form.

Server Settings

First of all, the web server has to have the ability to connect with LDAP. To do this, it has to be enabled in the php.ini file. The following line should be uncommented:

; Dynamic Extensions ;
... (if Windows, extension=php_ldap.dll)

The httpd.conf file needs to have some LDAP modules loaded as well. If you want the ability to connect to LDAP over a secure connection, you’ll need a few additional modules on top of the standard LDAP module. Plus, at the bottom of the httpd.conf file, or anywhere after the modules have been included, there are a few ifModule statements to add.

# Dynamic Shared Object (DSO) Support
LoadModule auth_basic_module modules/
LoadModule authnz_ldap_module modules/
LoadModule ldap_module modules/
<IfModule ldap_module>
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

<IfModule mod_authnz_ldap>
LDAPTrustedCA /etc/ssl/certificate/my_public_cert.cer

If the case of the LDAPTrustedCA, I just entered the path to the public certificate of a certificate authority. I’m not completely sure if that has any bearing on the functionality of the LDAP connections over SSL, but included it just in case.

Zend Framework

Once the server is ready to go, you need to setup the Zend Framework to handle LDAP connections to an Active Directory (AD) server. A lot of these steps would probably apply to an OpenLDAP server as well, but I’m focusing on AD right now.

First thing is to setup the configuration file (config.ini). I found that the following settings work well with Active Directory; you’ll have to substitute values based on what your settings are:

[dev] =
ladp.server1.port = 636
ldap.server1.useStartTls = true
ldap.server1.accountDomainName =
ldap.server1.accountDomainNameShort = adserver ;abbreviated name for server
ldap.server1.accountCanonicalForm = 3
ldap.server1.baseDn = "dc=adserver,dc=mydomain,dc=com"
ldap.server1.bindRequiresDn = 0

Here’s a few, brief explanations of the settings above:

  • In some cases, the host may need to have a ldap:// or ldaps:// in it (e.g. ldap://
  • This forces a connection over SSL via Tls. To avoid this, comment out the useStartTls line.
  • Port 636 is the default, secure port for Active Directory. Port 389 is the default, non-secure port over TCP and UDP.
  • The accountDomainName should just be the domain name of the server.
  • In some cases, the Active Directory server might use a short name. You usually see this in a domain-based environment (when connecting Windows-based machines to a domain). When logging in, a user might have to enter his/her username with some kind of prefix (e.g. adserver\username).
  • The accountCanonicalForm setting can have values of 2,3 or 4…and maybe a few others. If 2 is selected, only the account name is used (e.g. username). If 3 is selected, which is the default and likely the correct option, the account includes the prefix (e.g. adserver\username). If 4 is selected, the account is managed as [email protected] (or something like that).
  • The baseDN (base distinguished name), is the base of where to find things in Active Directory. In my case, it was the domain of the server. The dc stands for domain controller and is read in reverse.
  • The bindRequiresDn setting forces a bind on the full distinguished name of an account before authenticating. This just means that the full acount name might be something like “cn=myusername,ou=myorganization,dc=adserver,dc=mydomain,dc=com” instead of just “myusername.” The cn stands for canonical name.

The config.ini file can be used with the Zend_Config_Ini class in the bootstrap file.

$config = new Zend_Config_Ini(/config/config.ini', 'dev');

Tags: , , ,

No comments yet.

Leave a Comment

Remember to play nicely folks, nobody likes a troll.

You must be logged in to post a comment.