I may be hired to write a PHP app for a local company and they want me to integrate it with their Windows Active Directory. The app itself will be placed on their own server, the clients (users) will be accessing it from different PCs which are connected to the AD. I am new to this AD stuff, but I do know that I need to use LDAP to communicate with the AD.
So my app would need to operate (only read, actually) on users and user groups that are present within the company's AD.
One of the ADs benefits is that it gets rid of multiple user login forms when accessing different apps within the AD, that is, Windows Login is enough to access all the apps without the need to re-enter user's credentials.
What I need to know is whether it is actually possible to resolve user's identity after he has logged into his windows (AD) account on some computer? I don't want to present the user with a login form to access my app since he would have to type in the same Windows username and password, so it's kind of extra work for the user. If this is actually possible to do, how should it be done? What do I need to use?
Any help would be greatly appreciated.
Windows Server Active Directory
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
The guys over at sysinternals may be of help: http://www.sysinternals.com/Utilities.html
I'm not sure that's what I need... and somehow I doubt the company would allow me to use any of those.
What I really wanted to know is whether it is possible to identify user easily enough without using any third party tools/utilities.
If it's so complicated, I guess I'll have to use the extra login form, although I'd really like to avoid it.
There's also another thing I'm not sure about.
The app I'd be coding is a learning system, so it will have the usual functionality such as assigning courses/learning material to users or user groups, assessments, various reports... As I mentioned before, the actual users (and user groups) are stored in the Active Directory, so my app would need to work with these 'global' users. But how do I make it possible? Different users in my app will have different permissions and attributes (from the app's point of view) - which are not available in AD user records. Also, say, you need to assign a course to some user. Normally you would just add a new record in the app's db and be fine. But in the case of working with and AD user I can't do the same since the user may be deleted from AD some time in the future and then the app's db would containg invalid data.
How do I work with AD users/user groups and make sure the data in my app's db is in sync with the users in AD?
Has anyone of you done something like that with Windows AD and PHP? What were your expriences/problems?
What I really wanted to know is whether it is possible to identify user easily enough without using any third party tools/utilities.
If it's so complicated, I guess I'll have to use the extra login form, although I'd really like to avoid it.
There's also another thing I'm not sure about.
The app I'd be coding is a learning system, so it will have the usual functionality such as assigning courses/learning material to users or user groups, assessments, various reports... As I mentioned before, the actual users (and user groups) are stored in the Active Directory, so my app would need to work with these 'global' users. But how do I make it possible? Different users in my app will have different permissions and attributes (from the app's point of view) - which are not available in AD user records. Also, say, you need to assign a course to some user. Normally you would just add a new record in the app's db and be fine. But in the case of working with and AD user I can't do the same since the user may be deleted from AD some time in the future and then the app's db would containg invalid data.
How do I work with AD users/user groups and make sure the data in my app's db is in sync with the users in AD?
Has anyone of you done something like that with Windows AD and PHP? What were your expriences/problems?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Interesting approach....to bad PHP and Windows work togather like water and electricity... 
Anyways...
You'll likely need to read up on: http://www.microsoft.com/windows2000/te ... ilinks.asp
Familiarize yourself with the API, which I bet is implemented as COM interfaces, not traditional __cdecl calling conventions nor Windows specific __stdcall, so no third party language bindings are likley nessecary.
For example (I'm willing to bet) PHP's MySQL extension is a language binding...or simply a wrapper around the original MySQL C API which uses Zend API to convert MySQL specific data types into PHP data types.
This is likely the API which you are going to use to manipulate the Windows Active Directory (or you could do it manually using file operations, but that would be like using a SQL database and file operations instead of SQL statements
). From what I can tell anyways
I imagine you would then use PHP's COM support to begin using the API - or you could write your own Zend extension - which requires knowing C and knowing it well and working with COM interfaces in anything but C++ is a nightmare and a half!!!
http://ca3.php.net/manual/en/ref.com.php
Here is an article which from what I can tell demonstrates how to use PHP COM...I don't know for sure cuz I don't use COM with PHP only in C++ under Windows do I have experience.
http://www.wynia.org/wordpress/2006/02/ ... -with-php/
I just skimmed this article, but the author says using PHP LDAP extensions it's possible to work with any LDAP, which from what I can tell is basically what Windows Active Directory is...
http://www.developer.com/lang/php/artic ... _3100951_2
If Windows Active Directory is basically LDAP you could likely use the above technique without the fuss of using the Windows COM interfaces...
The beauty of Windows COM interfaces is that the API is likley more specific and might result in less code in the long run.
The downside, is you are now tied to Windows only, cuz I dought any *nix nutt is going to port that Windows AD over to *nix.
If you know your application will always be run on Windows and never change...USE the COM interfaces and not LDAP, because Windows is quirky and using "it's" API is the best and ONLY way to go!!!
Although by the sounds of things Windows uses a open standard API so who knows...this is just how I would go abouts solving this issue you describe.
HTH
Cheers
Anyways...
You'll likely need to read up on: http://www.microsoft.com/windows2000/te ... ilinks.asp
Familiarize yourself with the API, which I bet is implemented as COM interfaces, not traditional __cdecl calling conventions nor Windows specific __stdcall, so no third party language bindings are likley nessecary.
For example (I'm willing to bet) PHP's MySQL extension is a language binding...or simply a wrapper around the original MySQL C API which uses Zend API to convert MySQL specific data types into PHP data types.
This is likely the API which you are going to use to manipulate the Windows Active Directory (or you could do it manually using file operations, but that would be like using a SQL database and file operations instead of SQL statements
I imagine you would then use PHP's COM support to begin using the API - or you could write your own Zend extension - which requires knowing C and knowing it well and working with COM interfaces in anything but C++ is a nightmare and a half!!!
http://ca3.php.net/manual/en/ref.com.php
Here is an article which from what I can tell demonstrates how to use PHP COM...I don't know for sure cuz I don't use COM with PHP only in C++ under Windows do I have experience.
http://www.wynia.org/wordpress/2006/02/ ... -with-php/
I just skimmed this article, but the author says using PHP LDAP extensions it's possible to work with any LDAP, which from what I can tell is basically what Windows Active Directory is...
http://www.developer.com/lang/php/artic ... _3100951_2
If Windows Active Directory is basically LDAP you could likely use the above technique without the fuss of using the Windows COM interfaces...
The beauty of Windows COM interfaces is that the API is likley more specific and might result in less code in the long run.
The downside, is you are now tied to Windows only, cuz I dought any *nix nutt is going to port that Windows AD over to *nix.
If you know your application will always be run on Windows and never change...USE the COM interfaces and not LDAP, because Windows is quirky and using "it's" API is the best and ONLY way to go!!!
Although by the sounds of things Windows uses a open standard API so who knows...this is just how I would go abouts solving this issue you describe.
HTH
Cheers
It would help if you would restate the problem more clearly.
If all you need is the ability to capture the user name (and domain) of the Windows user that is accessing your php page, thats easily done.
If you need more, thats challenging.
Be specific on which you want, and I'll explain the steps to acheive.
If all you need is the ability to capture the user name (and domain) of the Windows user that is accessing your php page, thats easily done.
If you need more, thats challenging.
Be specific on which you want, and I'll explain the steps to acheive.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I agree with Hockey that you should use the COM rather than LDAP. Only Microsoft would implement LDAP so that it is not LDAP.
http://www.php.net/manual/en/ref.com.php
http://www.php.net/manual/en/ref.com.php
(#10850)
Thanks, guys for your help. I do know the LDAP thingy etc, I don't see a problem with login anymore, I think I will figure it out one way or another.
The company has all their users and user groups stored in their AD and as I mentioned before, my app (learning system) needs to operate on these AD users. I do not need to actually edit/delete/add users within the AD, but what I do need to do is to use the user data for displaying in my app. My app will have the functionality of assigning courses to individual users as well as user groups, assessments, reports etc. Now here's the problem of mine: the app logic needs to maintain relations between users/groups/courses, but the actual users aren't stored within the app's db. For example, say, you need to assign a learning course to an individual user. Normally you would simply add a new entry in the db containing the user id and the course id and that's it. But in my case, the actual user records are stored in the AD, and not my app's db so I don't have the user id. My app will also have permission system and the user records in the AD obviously do not have 'ree's_app_permission_level' attribute.
I was thinking about storing all AD user IDs inside my app's db, then I could store the relations between objects (in this case, the assign-a-course-to-a-user example would 'work'). However, this would require a one-time import and the users deleted from the AD would still have their IDs present in my app's db which isn't that great.
To sum it up, I'm not exactly sure how I should relate the global AD data (users) to my app's local functionality and persist relations between app objects and the AD users.
Yes, I need more, just as described in my last post in this thread and indeed I find it challenging.Roja wrote: If you need more, thats challenging.
The company has all their users and user groups stored in their AD and as I mentioned before, my app (learning system) needs to operate on these AD users. I do not need to actually edit/delete/add users within the AD, but what I do need to do is to use the user data for displaying in my app. My app will have the functionality of assigning courses to individual users as well as user groups, assessments, reports etc. Now here's the problem of mine: the app logic needs to maintain relations between users/groups/courses, but the actual users aren't stored within the app's db. For example, say, you need to assign a learning course to an individual user. Normally you would simply add a new entry in the db containing the user id and the course id and that's it. But in my case, the actual user records are stored in the AD, and not my app's db so I don't have the user id. My app will also have permission system and the user records in the AD obviously do not have 'ree's_app_permission_level' attribute.
I was thinking about storing all AD user IDs inside my app's db, then I could store the relations between objects (in this case, the assign-a-course-to-a-user example would 'work'). However, this would require a one-time import and the users deleted from the AD would still have their IDs present in my app's db which isn't that great.
To sum it up, I'm not exactly sure how I should relate the global AD data (users) to my app's local functionality and persist relations between app objects and the AD users.