Page 1 of 1

Im not even sure if this is possible...PHP, Windows and AD

Posted: Wed Dec 16, 2009 8:31 pm
by ajlisowski
Hi, I just recently started a new job as a php developer for a mid-sized company. They are having me design and develop some intranet systems. The tricky part is, they do not want any sort of login. They want the system to be able to tell what user is currently logged in on the PC and give them privileges based on that.

They currently use Active Directory, which I know nothing about. But I did discover you can integrate AD into PHP using LDAP...

But...to be honest, I had never even heard of Active Directory today, so these words im typing are simply from what Ive read today.

Basically, am I on the right track of looking into LDAP to accomplish this task of having priveledged AD users gain access to portions of my intranet system?

Any ideas of where to start? This is a bit out of my league, but I have plenty of time to figure it out as today was literally my first day.

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Wed Dec 16, 2009 8:52 pm
by daedalus__
google hu akbar

http://en.wikipedia.org/wiki/Active_directory

http://lmgtfy.com/?q=php+and+active+directory

what if someone wants to access the intranet from their home? or an airport? or their cell phone? mcdonalds?

vpn? remote desktop?

you have some serious considerations to make about your design. on the other hand, the less your company knows about it the less work you have to do. but one day you might hear from a boss "well so and so's kid said i could get on this from insert medium why the hell didn't you think of that"

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 8:55 am
by ajlisowski
As of right now, VPN would most likely be how someone would access the system from outside the office.

I did some reading on AD and PHP, thanks in part to the links you provided :)

It seems like it is very possible to autheticate users based on their AD binding after prompting them for their login. So I can definately make a system that asks a user for their windows login to access parts of the intranet.

However I have yet to find anything that suggests I can simply grab their current windows login for authentification. That seems to be the tricky part. Basically I would want to be able to check to see what user was logged in to the PC that was visiting the page and then query that against AD to bind the correct premissions.

I havent seen anything that hints this may be possible. I can see potential security issues, allowing a site to know what your windows username is. However I would not need the password, as the fact they have logged in to the PC is enough authentification for me.

Basically, I need a way to have PHP know what your windows username is when you visit the page...and I see how that would be possible. Am I wrong?

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 9:42 am
by ajlisowski
Ok...ive knocked the problem down to a much more simplistic one.

Basically I can use java to get the current logged in user. Most everyone in our system would have java installed and able to run for other tools they use, and since it is an intranet we can make sure the IT guys keep java up on everyone.

So I would most likely be able to write a java applet for php to query and grab the windows username of the individual currently accessing the page.

I havent written java in a while...so...we will see how this gos.

If anyone has any suggestions or concerns with my method please let me know. Again I am traveling on new ground for myself, so, ill probably update this forum as I go to feel a little less lost and alone :)

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 9:59 am
by papa
If you are using IIS you can use Windows Auth. so the user doesn't have to login multiple times for example.

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 10:10 am
by Weirdan
ajlisowski wrote:However I have yet to find anything that suggests I can simply grab their current windows login for authentification.
Keywords to search for: php ntlm login

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 4:05 pm
by ajlisowski
So, after a day of beating my head against a wall...I am still relatively nowhere on this issue...

I did however find this:

http://sivel.net/2007/05/sso-apache-ad-1/

Would this work?

Basically users are being authenticated on their windows machine, they are then connecting to a red hat box on the server which will host the system.

So, if I were to install this pearl mod on apache on the red hat box, would the users be authenticated on that domain? Or would it only authenticate for the actual linux user which is being used on the red hat box?

Re: Im not even sure if this is possible...PHP, Windows and AD

Posted: Thu Dec 17, 2009 8:27 pm
by Weirdan
I would recommend second part of that howto (mod_ntlm solution).