PHP/Linux Version of Active Directory

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
cfytable
Forum Commoner
Posts: 29
Joined: Thu May 12, 2005 3:36 pm

PHP/Linux Version of Active Directory

Post by cfytable »

I am in the process of building an Intranet website. The specs call for certain users and groups to have varying levels of access to different parts of the website. My client also has a separate webmail system running on their host. Their goal is to have a seamless login across the two systems: Intranet and webmail, whereby logging into one logs you into the other, and vice-versa.

I have thought about storing the user list and roles in a mySQL DB for use by the Intranet site, but I'm thinking that I would have to drop the username/password details into a cookie and rewrite the webmail index page to grab those details from any cookie. This seems insecure as well as unecessarily convoluted.

If I were using Windows, I probably would setup users and groups in Active Directory, set Basic Authentication in IIS on a directory level for the Intranet, and probably the webmail access would already be based on Active Directory. I am not too familiar with Apache's capabilities, though. Is there a Linux equivalent of Active Directory & ADSI? Or is there a better way to approach the subject of seamless logins across the Intranet and webmail systems?

Also, would the Linux equivalent of IIS Basic Auth prompts work in both IE and non-IE browsers?

Any help would be greatly appreciated.

PS: I'm not sure the name of webmail code package, but it's a PERL based package.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

There is a mod_mysqlauth in apache. This would allow .htaccess to use a mysql table for user athentication. However I am not sure if the mod is still in development.

If you have access to the webmail system db you could simply manipulate the user table of the webmail with your intranet admin tool. However most webmail progs use the server user table. This would require you to manipulate the user data on that level.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

the more general keywords you need for a websearch: "Single sign-on".

Some links that might interest you:
http://tp.its.yale.edu/tiki/tiki-index. ... ionService
http://esup-phpcas.sourceforge.net/
User avatar
hanji
Forum Commoner
Posts: 46
Joined: Fri Apr 29, 2005 3:23 pm

Post by hanji »

Hello

You can integrate Apache and PHP to talk to ActiveDirectory. I think you'll want to avoid mysql if you want a complete 'across the board' login. I think you're on the right track thinking LDAP here. If ActiveDirectory doesn't play nice.. you can try openLDAP for Linux, or eDirectory (Novell)

You can use .htaccess or configure your vhosts.conf to query LDAP. This is the BasicAuth solution you were asking about for Apache.

Here is an example of how you could do this within your vhosts.conf:

Code: Select all

<Directory &quote;/var/www/localhost/htdocs/yourapplicationdir/&quote;>
AuthName &quote;Authentication required&quote;
AuthType Basic
AuthLDAPBindDN &quote;dc=yourdomain,dc=com, &quote;
AuthLDAPBindPassword &quote;yourreadonlybindinguserpassword&quote;
AuthLDAPUrl  ldaps://location.ofyourldap.server:636/dc=yourdomain
require valid-user
</Directory>
The above example hooks into ActiveDirectory over SSL (636 instead of 389). The LDAPBindPassword should be a user that can see your users.. but only have read/restricted access. I would not go with Anonymous binds.

You'll need to have ldap support built into apache, so may need to do a custom rebuild.

That's Apache.. but you can hook into ActiveDirectory with PHP as well...

Here is simple little function.. I really need to make this a class!

Code: Select all

function ldap_query($inDN, $inFilter, $inAttArray, $inLevel){
        global $ldap_server,$ldap_user,$ldap_pass;
        $sr                             = "";
        $ds                             = "";
        $outVal                         = array();
        $errorFlag                      = false;
        $passFlag                       = true;
        $count                          = 0;
        if(!$ds             = @ldap_connect($ldap_server)){
                echo "Unable to connect to LDAP server";
                exit();
        }
        if($ds){
                // need this to work in ActiveDirectory
                ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
                ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
                if(!$r          = ldap_bind($ds, $ldap_user, $ldap_pass)){
                        echo "Unable to bind to LDAP server";
                        exit();
                }
                switch($inLevel){
                        case "one":                     // One (one level beneath base)
                                if(!$sr = @ldap_list($ds, $inDN, trim($inFilter),$inAttArray,0,0,0,3)){
                                        $errorFlag      = true;
                                        $passFlag       = false;
                                }
                                break;
                        case "sub":
                                if(!$sr = @ldap_search($ds, $inDN, trim($inFilter),$inAttArray,0,0,0,3)){
                                        $errorFlag      = true;
                                        $passFlag       = false;
                                }
                                break;
                }
                if(!$errorFlag){
                        $count          = ldap_count_entries($ds, $sr);
                }
        }
        $outVal[0]              = $errorFlag;
        $outVal[1]              = $passFlag;
        $outVal[2]              = $count;
        $outVal[3]              = $sr;
        $outVal[4]              = $ds;
        return $outVal;
}
Also.. you can use some LDAP browser tools.. already created for PHP.. just to make sure you're hooking right, etc...

Code: Select all

Homepage:    http://phpldapadmin.sourceforge.net
Description: phpLDAPadmin is a web-based tool for managing all aspects of your LDAP server.
I hope this helps
hanji
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I forgot to mention, cas can work with a ldap backend too :)

ldap is really the way to go if you have multiple machines...
Post Reply