If you're talking about an active directory server here then yes, you can do it, but it's not particularly pretty. Typically the logic flow is:
1. Connect and bind to the LDAP server. If your intranet allows anonymous read only access yay, otherwise you'll need to get a dummy account set up that can search.
2. Search to discover the dn (distinguished name). Typically the login name users give will be the SAMAccountName, so you'll need to search your tree by SAMAccountName. Talk to your sysadmin or fire up an LDAP browser if you don't know what your tree looks like. This step will tell you whether the user exists.
3. Drop the connection and attempt to bind with the dn you discovered and the password supplied, and the result will tell you whether the user is authenticated.
The part that sucks about this is that the binding ops don't understand hashing, so unless this is strictly hobby-grade development you're going to want to establish SSL/TLS, which see ldap_start_tls() or failing that ldap_sasl_bind().
Edited to include the relevant functions from the docs
Last edited by ralph l mayo; 11-30-2006 at 01:39 AM..