Our organization uses Google Apps for Business to handle employee email accounts. I’m wondering if it’s possible to integrate LDAP authentication when working with these Gmail accounts through PHP.
I need to authenticate users against our directory service before they can access email functionality in our custom application. Has anyone successfully implemented this kind of setup? I’m looking for guidance on whether Gmail supports LDAP authentication methods when accessed programmatically.
Any code examples or configuration tips would be really helpful. I want to make sure users don’t have to enter their credentials multiple times if they’re already authenticated through our LDAP system.
Hit this same problem six months back during our email migration. Google Workspace won’t talk directly to LDAP for Gmail, but I found a solid workaround that’s held up well. We used Google Cloud Directory Sync to pull our LDAP users into Google Workspace automatically. Then our PHP app checks LDAP first - once that passes, it grabs their existing Google session through SAML SSO. The trick was setting Google as the identity provider while keeping LDAP handling the actual auth. No more double logins, and our directory stays as-is. Setup was a pain initially but it’s been rock solid since.
yeah, google workspace doesn’t do ldap directly for gmail. I synced my ldap users with the google directory api then authenticated them through ldap, then used a service account to access gmail. it’s worked well and saved users from logging in again.
Google Workspace doesn’t support LDAP authentication for Gmail API access directly. But you can work around this with a hybrid setup. Here’s what I do: authenticate users against your LDAP directory in your PHP app first. Once they’re authenticated, use OAuth 2.0 with domain-wide delegation to access Gmail programmatically. Set up a service account in Google Admin Console with the Gmail scopes you need, then impersonate the authenticated users to grab their emails. This way you skip individual user consent but keep your LDAP authentication. The trick is splitting authentication from authorization - LDAP verifies users, OAuth handles Gmail permissions.