Authenticating a User

Often times you may want to simply test a username/password against LDAP to see if it is valid. This can be done with a shorthand method directly on the LdapManager class:

// With your LdapManager class already instantiated...
if ($ldapManager->authenticate($username, $password)) {
    echo "Success! The password for $username is correct.";

This method creates an authentication operation object and executes it against the current connection. You could also do the following:

use LdapTools\Operation\AuthenticationOperation;

$operation = (new AuthenticationOperation())->setUsername($username)->setPassword($password);

// With your LdapManager class already instantiated...
$response = $ldapManager->getConnection()->execute($operation);

if (!$response->isAuthenticated()) {
    echo "Error validating password for '".$operation->getUsername()."': ".$response->getErrorMessage();

Valid Username Formats

The authenticate() method username argument can be the same value types as the username you defined in your config. For Active Directory, this means you can authenticate a user using either a UPN, a text SID, a text GUID, a distinguished name, or just a normal username. With OpenLDAP the username must be a full DN. However, you can adjust the bind_format option for the domain configuration to modify this behavior.

Authentication Error Messages

There are many times where you may want to provide a more meaningful response as to why authentication for a user has failed. This information is possible to get by passing additional optional variables to the authenticate() method.

// With your LdapManager class already instantiated...
if (!$ldapManager->authenticate($username, $password, $message, $code)) {
     echo "Error ($code): $message";

When using Active Directory, the above can give you very helpful information as to why the user cannot log in. Such as a disabled account, a locked account, or an account whose password needs to change before they can login again. The most common error codes you may see in AD:

Error Number Constant Description
1317 AccountInvalid Account does not exist.
1326 AccountCredentialsInvalid Account password is invalid.
1327 AccountRestrictions Account Restrictions prevent this user from signing in.
1328 AccountRestrictionsTime Time Restriction - The account cannot login at this time.
1329 AccountRestrictionsDevice Device Restriction - The account is not allowed to log on to this computer.
1330 AccountPasswordExpired The password for the account has expired.
1331 AccountDisabled The account is currently disabled.
1384 AccountContextIDS The account is a member of too many groups and cannot be logged on.
1793 AccountExpired The account has expired.
1907 AccountPasswordMustChange The accounts password must change before it can login.
1909 AccountLocked The account is currently locked out.

All constants are located in \LdapTools\Enums\AD\ResponseCode. You should use those constants to compare against the received error number to take a specific action for an event.