Is LDAP the only way to authenticate an web application against Active Directory?

Well, Active Directory is LDAP+Kerberos+a few other miscellaneous bits and pieces. Officially you could authenticate via Kerberos, but that's not going to provide any of the other authorization data you may need.

As long as your firewall doesn't prohibit it and you have a user account with the correct permissions, you should be able to query Active Directory using standard LDAP PHP libraries, LDAP browsers, etc.


LDAP isn't required. You can use claims based authentication (the new trend) with SAML. A PHP library is here.

Have your network admin install ADFSv2 to make AD open up a SAML and endpoint WS-Trust in your app. ADFS is a free, and Windows 2008 R2 is the right OS to run the latest version.

TIP: Just be sure to install it so it uses SQL (not SQL Express) if you want advanced features like token replay detection.


You could try SAML as well. Try a search for "SAML active directory" as well as "SAML apache".


im currently working on a hybrid application for my company that requires employee authentication via LDAP / ActiveDirectory

in PHP its not that hard to authorizes against LDAP.

Your PHP Configuration should have session and ldap enabled.

heres an example of a basic auth with PHP

class LDAP_Authentication
{
    private $connection;
    public function __construct($domain)
    {
        $this->connection = @ldap_connect($domain);
    }

    public connected()
    {
        return $this->connection !== false;
    }

    public function login($user,$password)
    {
        return @ldap_bind($this->connection,$user,$password);
    }
}

Example of usage:

session_start(); //Single Login

$LDAPAuth = new LDAP_Authentication('domain.internal');

if($LDAPAuth->connected())
{
    if($LDAPAuth->login('some_user',"some_pass"))
    {
        $_SESSION['logged_in'] = true;
        $_SESSION['credentials'] = array('some_user','some_pass');

        echo 'Welcome';
    }else
    {
        echo 'Try again';
    }
}

Update 1

A possible method is using JavaScript to accomplish this, you can detect the clients computer name, user name, domain by using the network object in WScript, you then detect the credentials and then send them to the server to check with AD, if there all good the server then will create a session for that user and reply with an JSON Object, with success set to true.

the javascript side will then see that its a success and then redirect the browser to another location causing them to be logged in.

POC:

var Data = {}
//Show loading layer
$("#loader").show();
try
{
    var Information = new ActiveXObject("WScript.Network");
    Data.Username = Information.UserName;
    Data.Computername = Information.ComputerName;
    Data.Domain = Information.UserDomain;
    
    $.post("/ldap/ajax/login",Data,fucntion(object){
        if(object.success)
        {
            document.location = "/"; //Will automatically start session.
        }else
        {
            document.location = "/ldap/faild/"; //general login page
        }
    });
}catch(e)
{
    document.location = "/ldap/faild/"; //general login page
}