Usage
Models
This usage documentation is intentionally kept short and sweet to prevent duplication. Be sure to review the core LdapRecord documentation as it explains all of LdapRecord's features in-depth.
Once you've configured your connections in your config/ldap.php
file,
you're ready to start running queries and operations on your LDAP server.
If you're connecting to an Active Directory or OpenLDAP server, you may utilize the built-in models to get up and running right away.
If you would like to create your own models, you can generate one via the make:ldap-model
command:
php artisan make:ldap-model User
This will create a new LdapRecord model inside of your application in the app/Ldap
folder.
If the
Ldap
folder does not exist, it will be created automatically.
By default, the generated model will not have any $objectClasses
set. LdapRecord requires
this attribute to be set for objects to be created properly in your directory.
If no $objectClasses
are set, queries will not be scoped to the object you are querying
and you will have to set the models $objectClasses
manually before creating new objects.
namespace App\Ldap;
use LdapRecord\Models\Model;
class User extends Model
{
public static $objectClasses = [
'top',
'person',
'organizationalperson',
'user',
];
}
You may want to extend from the
LdapRecord\Models\ActiveDirectory\Entry
class to utilize some helper methods that are limited to the use of Active Directory. This can save you time from having to implement functionality manually.
Searching
To begin querying your model, you can statically call query methods off of the model:
$users = User::where('company', '=', 'Acme')->get();
When using the above example model for searching your LDAP directory, the following filter will be used:
(&(objectclass=top)(objectclass=person)(objectclass=organizationalperson)(objectclass=user)(company=Acme))
Creating / Updating
To create a new object in your directory, call the create
method:
$user = User::create([
'company' => 'Acme',
'givenname' => 'Steve',
'sn' => 'Bauman',
'cn' => 'Steve Bauman',
]);
When creating the above example model, the objectclass
attribute will automatically be
sent with all other attributes you have set for the user creation. This effectively
creates the proper object in your directory.
You may also create a new model instance, set its attributes, and call the save
method:
$user = new User;
$user->cn = 'Steve Bauman';
$user->givenname = 'Steve';
$user->sn = 'Bauman';
$user->company = 'Acme';
$user->save();
Similarly, to update an object, modify a model that was returned from a query and call the save
method:
$user = User::find('cn=Steve Bauman,dc=local,dc=com');
$user->company = 'Acme';
$user->save();
If you need help understanding user creation and management, take a look at the Active Directory user management tutorial.
Scopes
Sometimes you may need to utilize several of the same query filters around your application. Model scopes are a perfect for this, as you can extract these filters into its own class and apply it to a model query.
Be sure to take a peek at the query scopes documentation for a more in-depth look.
To create a new model scope, call the command:
php artisan make:ldap-scope OnlyAccountants
This will create a new model scope in your applications app\Ldap\Scopes
directory.
namespace App\Ldap\Scopes;
use LdapRecord\Models\Model;
use LdapRecord\Models\Scope;
use LdapRecord\Query\Model\Builder;
class OnlyAccountants implements Scope
{
public function apply(Builder $query, Model $model)
{
$query->where('title', '=', 'Accountant');
}
}
Now, you can either apply this scope globally so the query filter is applied on every query of your model, or apply it when you need it. Let's walk through both.
To apply your scope globally, override your models protected static boot
method, and then call the addGlobalScope
method:
namespace App\Ldap;
use LdapRecord\Models\Model;
use App\Ldap\Scopes\OnlyAccountants;
class User extends Model
{
// ...
protected static function boot()
{
parent::boot();
static::addGlobalScope(new OnlyAccountants);
}
}
You must pass a new instance of your scope into the
addGlobalScope
method, not the class name.
Any search queries that are performed on your User
model will now be properly scoped.
If you wish to apply a scope in certain situations, you may use the withGlobalScope
method:
$accountants = User::withGlobalScope('accountants', new OnlyAccountants)->get();
As you may have noticed above, you must provide a named string for the scope you are passing in.
Plain Authentication
Sometimes you simply want to know if a users LDAP credentials are valid. To do this, you must retrieve your LDAP connection from the LdapRecord connection container.
To do so, you must call the getConnection
method on the Container
and pass in the name of
your connection that appears in your config/ldap.php
file:
use LdapRecord\Container;
$connection = Container::getConnection('default');
To retrieve your default
connection that you have set in your ldap.php
configuration
file, call the getDefaultConnection
method:
use LdapRecord\Container;
$connection = Container::getDefaultConnection();
Once you have your connection, call the auth()->attempt
method with your users
Distinguished Name and their password:
use LdapRecord\Container;
$connection = Container::getConnection('default');
if ($connection->auth()->attempt('cn=user,dc=local,dc=com', 'SuperSecret')) {
// Credentials are valid!
}
If you don't want your user to have to enter in their Distinguished Name, locate the user in your directory first who is attempting to authenticate, and then pass in their Distinguished Name:
use LdapRecord\Container;
use LdapRecord\Models\ActiveDirectory\User;
$connection = Container::getConnection('default');
$user = User::findByOrFail('samaccountname', 'sbauman');
if ($connection->auth()->attempt($user->getDn(), 'SuperSecret')) {
// Credentials are valid!
}
If you need to determine why the users authentication is failing (for example, if their password has expired), you can retrieve the last message that was generated from your LDAP server. This message will usually contain a code that you can use to determine the cause of failure:
if ($connection->auth()->attempt($user->getDn(), 'SuperSecret')) {
// Credentials are valid!
} else {
$message = $connection->getLdapConnection()->getDiagnosticMessage();
if (strpos($message, '532') !== false) {
return "Your password has expired.";
}
}