Hi.
I am researching how I can have an Intranet running on Apache and have it talk to the LDAP server, so that if "bobby" is browser the site, they login as "bobby" which tallies with their Active Directory[AD] username and password, and lets them in.
From then on, they can only see what I assign to their user, because the browser knows who they are.
Can anyone give me points how to achieve this please?
I'm reading about LDAP right now, and I know the company has it installed, but only the current ASP site uses it, so the code will be completely alien to me (a PHP coder).
Thanks in advance.
Simon
Creating login using Active Directory via LDAP on PHP site
Moderator: General Moderators
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: Creating login using Active Directory via LDAP on PHP site
How we do it at my works is we use LDAP to verify the credentials, then store the username in a cookie, along with the session id - not the safest strategy but it predates me. We also store that information in a database, along with the access level of the user. On every page load, the cookie is checked against the database and the user level is used to determine whether to show the page or not.
When checking against LDAP, all we do is a simple connect (ldap_connect()) & bind (ldap_bind()). If the bind worked, the credentials were valid.
When checking against LDAP, all we do is a simple connect (ldap_connect()) & bind (ldap_bind()). If the bind worked, the credentials were valid.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: Creating login using Active Directory via LDAP on PHP site
Excellent. You could be a very good person to know....
How do you actually get it to check the credentials. I've seen some LDAP connections (similar to MySQL connections), but don't see how you actually get it to check the "logon" with the database.
In our old intranet there is a field called AdminLevelDept, which I am guessing is how this guy did it with ASP.
I have an idea on how do assign 'Departments' to peoples entries, but not sure if that is the way to go.
If you are highly knowledgeable on this, and I am guess from your response that you are, I could really do with your help here.
I'm very proficient with "if" statements, so as whether or not to display a button for example (for admin purposes). So I am think of assigning 'Department' names to a staff member's field, and if that field contains "Marketing" for example and they are in the marketing pages, they will get the "Delete, Edit" buttons.
regards
Simon
How do you actually get it to check the credentials. I've seen some LDAP connections (similar to MySQL connections), but don't see how you actually get it to check the "logon" with the database.
In our old intranet there is a field called AdminLevelDept, which I am guessing is how this guy did it with ASP.
I have an idea on how do assign 'Departments' to peoples entries, but not sure if that is the way to go.
If you are highly knowledgeable on this, and I am guess from your response that you are, I could really do with your help here.
I'm very proficient with "if" statements, so as whether or not to display a button for example (for admin purposes). So I am think of assigning 'Department' names to a staff member's field, and if that field contains "Marketing" for example and they are in the marketing pages, they will get the "Delete, Edit" buttons.
regards
Simon
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: Creating login using Active Directory via LDAP on PHP site
I think you've got 2 problems here.
1) You don't know how to run some PHP code that results in "The credentials the user supplied were checked against LDAP and they came back yay/nay"
2) You don't know how to determine what level of access the user should have.
1) To connect to an LDAP server, you'll of course need to know it's address, such as ldaps://123.456.789.001 - make sure it's ldaps, as you'll be sending credentials. It will work with plain ldap, but of course, it's not encrypted. Once you've connected, you need to bind. An example call to ldap_bind() would be: The 2nd argument - the bind rdn, is different for each implementation of LDAP, so your bind rdn will be different from mine. The ASP folks should be able to provide that string though as it's directory dependant, not language dependant. Also, once this is in production, put an '@' in front of ldap_bind(), as it throws a warning whenever it fails (ie: whenever someone provides invalid credentials).
2) Our levels are determined by a mix of a config file and the group membership in our Directory. The config file says: "Users in this group have an access level of X, users in this other group have an access level of Y, etc". After we bind to our Directory, we do a list up of all the Directory groups the user is a member of - such as "instructors", "administration", "phone_system_operator", etc. The user is then granted the access level of whatever group they are in - and that access level is stored in and retrieved from, the database.
Another approach which is arguably superior, is to list which actions can be done by which groups. So, operators would have read capabilities, administrators would have right capabilities. This allows you to get more granular with your rights, and I believe won't make you have to delve into your code when you decide to change which functionality a particular user group has access to - you can just change that in the config file.
1) You don't know how to run some PHP code that results in "The credentials the user supplied were checked against LDAP and they came back yay/nay"
2) You don't know how to determine what level of access the user should have.
1) To connect to an LDAP server, you'll of course need to know it's address, such as ldaps://123.456.789.001 - make sure it's ldaps, as you'll be sending credentials. It will work with plain ldap, but of course, it's not encrypted. Once you've connected, you need to bind. An example call to ldap_bind() would be:
Code: Select all
$bound = ldap_bind($result_from_ldap_conn,'cn=user-entered-username','o=Organization,user-entered-password');2) Our levels are determined by a mix of a config file and the group membership in our Directory. The config file says: "Users in this group have an access level of X, users in this other group have an access level of Y, etc". After we bind to our Directory, we do a list up of all the Directory groups the user is a member of - such as "instructors", "administration", "phone_system_operator", etc. The user is then granted the access level of whatever group they are in - and that access level is stored in and retrieved from, the database.
Another approach which is arguably superior, is to list which actions can be done by which groups. So, operators would have read capabilities, administrators would have right capabilities. This allows you to get more granular with your rights, and I believe won't make you have to delve into your code when you decide to change which functionality a particular user group has access to - you can just change that in the config file.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: Creating login using Active Directory via LDAP on PHP site
Hello again
I am now back on this task, now I have PHP running locally with MySQL correctly.
This is the code I have found to use, though the ldap_connect doesn't seem to work:
The error message is:
"roy-spal-dc01" is the name of one of the services wehre Active Directory resides.
I am now back on this task, now I have PHP running locally with MySQL correctly.
This is the code I have found to use, though the ldap_connect doesn't seem to work:
Code: Select all
// specify the LDAP server to connect to
$conn = ldap_connect("roy-spal-dc01") or die("Could not connect to server");
// bind to the LDAP server specified above
$r = ldap_bind($conn) or die("Could not bind to server");
// start searching
// specify both the start location and the search criteria
// in this case, start at the top and return all entries $result =
ldap_search($conn,"dc=my-domain,dc=com", "(cn=*)") or die ("Error in search
query");
// get entry data as array
$info = ldap_get_entries($conn, $result);
// iterate over array and print data for each entry
for ($i=0; $i<$info["count"]; $i++)
{
echo "dn is: ". $info[$i]["dn"] ."<br>";
echo "first cn is: ". $info[$i]["cn"][0] ."<br>";
echo "first email address is: ". $info[$i]["mail"][0] ."<p>"; }
// print number of entries found
echo "Number of entries found: " . ldap_count_entries($conn, $result) .
"<p>";
// all done? clean up
ldap_close($conn);
Fatal error: Call to undefined function ldap_connect() in C:\xampp\phpmyadmin\royintranet\index.php on line 9
"roy-spal-dc01" is the name of one of the services wehre Active Directory resides.
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.