The Ldap Component
The Ldap component provides a means to connect to an LDAP server (OpenLDAP or Active Directory).
Installation
1
$ composer require symfony/ldap
Note
If you install this component outside of a Symfony application, you must
require the vendor/autoload.php
file in your code to enable the class
autoloading mechanism provided by Composer. Read
this article for more details.
Usage
The Ldap class provides methods to authenticate and query against an LDAP server.
The Ldap
class uses an AdapterInterface
to communicate with an LDAP server. The adapter
for PHP's built-in LDAP extension, for example, can be configured using the
following options:
host
- IP or hostname of the LDAP server
port
- Port used to access the LDAP server
version
- The version of the LDAP protocol to use
encryption
-
The encryption protocol:
ssl
,tls
ornone
(default) connection_string
-
You may use this option instead of
host
andport
to connect to the LDAP server optReferrals
- Specifies whether to automatically follow referrals returned by the LDAP server
options
- LDAP server's options as defined in ConnectionOptions
For example, to connect to a start-TLS secured LDAP server:
1 2 3 4 5 6
use Symfony\Component\Ldap\Ldap;
$ldap = Ldap::create('ext_ldap', [
'host' => 'my-server',
'encryption' => 'ssl',
]);
Or you could directly specify a connection string:
1 2 3
use Symfony\Component\Ldap\Ldap;
$ldap = Ldap::create('ext_ldap', ['connection_string' => 'ldaps://my-server:636']);
The bind() method authenticates a previously configured connection using both the distinguished name (DN) and the password of a user:
1 2 3 4
use Symfony\Component\Ldap\Ldap;
// ...
$ldap->bind($dn, $password);
Danger
When the LDAP server allows unauthenticated binds, a blank password will always be valid.
You can also use the saslBind() method for binding to an LDAP server using SASL:
1 2
// this method defines other optional arguments like $mech, $realm, $authcId, etc.
$ldap->saslBind($dn, $password);
After binding to the LDAP server, you can use the whoami() method to get the distinguished name (DN) of the authenticated and authorized user.
7.2
The saslBind()
and whoami()
methods were introduced in Symfony 7.2.
Once bound (or if you enabled anonymous authentication on your LDAP server), you may query the LDAP server using the query() method:
1 2 3 4 5 6 7 8 9
use Symfony\Component\Ldap\Ldap;
// ...
$query = $ldap->query('dc=symfony,dc=com', '(&(objectclass=person)(ou=Maintainers))');
$results = $query->execute();
foreach ($results as $entry) {
// Do something with the results
}
By default, LDAP entries are lazy-loaded. If you wish to fetch all entries in a single call and do something with the results' array, you may use the toArray() method:
1 2 3 4 5 6 7
use Symfony\Component\Ldap\Ldap;
// ...
$query = $ldap->query('dc=symfony,dc=com', '(&(objectclass=person)(ou=Maintainers))');
$results = $query->execute()->toArray();
// Do something with the results array
By default, LDAP queries use the Symfony
scope, which corresponds to the LDAP_SCOPE_SUBTREE
scope of the
ldap_search function. You can also use SCOPE_BASE
(related
to the LDAP_SCOPE_BASE
scope of ldap_read) and SCOPE_ONE
(related to the LDAP_SCOPE_ONELEVEL
scope of ldap_list):
1 2 3
use Symfony\Component\Ldap\Adapter\QueryInterface;
$query = $ldap->query('dc=symfony,dc=com', '...', ['scope' => QueryInterface::SCOPE_ONE]);
Use the filter
option to only retrieve some specific attributes:
$query = $ldap->query('dc=symfony,dc=com', '...', ['filter' => ['cn', 'mail']);
Creating or Updating Entries
The Ldap component provides means to create new LDAP entries, update or even delete existing ones:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
use Symfony\Component\Ldap\Entry;
use Symfony\Component\Ldap\Ldap;
// ...
$entry = new Entry('cn=Fabien Potencier,dc=symfony,dc=com', [
'sn' => ['fabpot'],
'objectClass' => ['inetOrgPerson'],
]);
$entryManager = $ldap->getEntryManager();
// Creating a new entry
$entryManager->add($entry);
// Finding and updating an existing entry
$query = $ldap->query('dc=symfony,dc=com', '(&(objectclass=person)(ou=Maintainers))');
$result = $query->execute();
$entry = $result[0];
$phoneNumber = $entry->getAttribute('phoneNumber');
$isContractor = $entry->hasAttribute('contractorCompany');
// attribute names in getAttribute() and hasAttribute() methods are case-sensitive
// pass FALSE as the second method argument to make them case-insensitive
$isContractor = $entry->hasAttribute('contractorCompany', false);
$entry->setAttribute('email', ['fabpot@symfony.com']);
$entryManager->update($entry);
// Adding or removing values to a multi-valued attribute is more efficient than using update()
$entryManager->addAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);
$entryManager->removeAttributeValues($entry, 'telephoneNumber', ['+1.111.222.3333', '+1.222.333.4444']);
// Removing an existing entry
$entryManager->remove(new Entry('cn=Test User,dc=symfony,dc=com'));
Batch Updating
Use the entry manager's applyOperations() method to update multiple attributes at once:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
use Symfony\Component\Ldap\Entry;
use Symfony\Component\Ldap\Ldap;
// ...
$entry = new Entry('cn=Fabien Potencier,dc=symfony,dc=com', [
'sn' => ['fabpot'],
'objectClass' => ['inetOrgPerson'],
]);
$entryManager = $ldap->getEntryManager();
// Adding multiple email addresses at once
$entryManager->applyOperations($entry->getDn(), [
new UpdateOperation(LDAP_MODIFY_BATCH_ADD, 'mail', 'new1@example.com'),
new UpdateOperation(LDAP_MODIFY_BATCH_ADD, 'mail', 'new2@example.com'),
]);
Possible operation types are LDAP_MODIFY_BATCH_ADD
, LDAP_MODIFY_BATCH_REMOVE
,
LDAP_MODIFY_BATCH_REMOVE_ALL
, LDAP_MODIFY_BATCH_REPLACE
. Parameter
$values
must be NULL
when using LDAP_MODIFY_BATCH_REMOVE_ALL
operation type.