Skip to end of metadata
Go to start of metadata

PHP 5 installations with functioning SASL EXTERNAL support should use ldap_sasl_bind to bind to UW directories requiring client authentication.

This example script establishes a connection to the configured LDAP server, issues the StartTLS extended operation, binds using ldap_sasl_bind with the SASL EXTERNAL (TLS client certificate authentication) mechanism, and performs a simple search using the defined searchbase and filter.

The newest Person Directory servers now use an InCommon server cert. Your application will need to include the Comodo root cert in your CACert file (identified as "/path/to/uwca.crt" below) to connect. See: Person Directory - Combined UWCA InCommon Root Certs. During initial testing in 2016 several apps took advantage of a certificate bundle and didn't require changes.

<head><title>PHP 5 ldap_sasl_bind example</title></head>
<h1>PHP 5 ldap_sasl_bind example</h1>


# UW Person Directory Service config
$host = "";
$base = "dc=personregistry,dc=washington,dc=edu";
$filter = "uwnetid=donn";

# UW Groups Directory Service config
# $host = "";
# $base = "dc=washington,dc=edu";
# $filter = "cn=u:cac:teg-smw";

# SASL EXTERNAL authentication config


# LDAPv3 is required
$r = ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, 3);

$d = ldap_connect($host);

if (!$d)

$r = ldap_start_tls($d);
if (!$r)

$r = ldap_sasl_bind($d, NULL, "", "EXTERNAL");
if (!$r)

$s = ldap_search($d, $base, $filter);
echo "ldap_search: " . $s . "<br />\n";

for ($c = ldap_first_entry($d, $s); $c; $c = ldap_next_entry($d, $c)) {
	$e = ldap_get_attributes($d, $c);
	echo "dn: " . ldap_get_dn($d, $c) . "<br />\n";
	for ($j = 0; $j < $e["count"]; $j++) {
		$a = ldap_get_values($d, $c, $e[$j]);
		for ($k = 0; $k < $a["count"]; $k++)
			echo $e[$j] . ": " . $a[$k] . "<br />\n";



Note: This script has been tested with PHP 5 on a Unix platform. It has not been tested on the Windows platform.

  • No labels