MyBB Community Forums

Since I've got many of times help on my random projects.....why not try this one here as well...Since this has nothing to do with MyBB, feel free to ignore if you wish...I'll try similar question at http://www.experts-exchange.com/ as well probably...

I try to develop some tools for internal use at the office...but I want to obey the security-rules our company has set....

SETUP
------
- IIS6 running on a virtual server (Win2k3)
- CF7MX
- PHP5

I've managed to set up a directory for myself there that utilizes 'Digest Authentication for Windows domain server'.
So basically when I try to access a page in that directory, it requires me to give a username and password that is then verified against the LDAP (I suppose).

I tested it...and if I give incorrect userdetails for our domain, it gives me 401...and if I give the right ones...it shows me the page... So all is fine there...the authentication seems to work...

Now I want to go to the next level...I want my php/cfm/asp -page in this directory also to be able to identify WHO it is that came in to read the page. I can only assume that I need to query the LDAP for that right?
Since the first authentication doesn not store any cookie or anything like that that I could use later for identifying the visitor....how do I do that then?

So what do I need to do in order to have the username/firstname/lastname/employeenumber (all data-elements in the LDAP) usable as a variable on my subsequent pages in that directory? Basically I want to use these variables later in my tools to define personal access-levels.

cheers,
Kimmo

Why not place your PHP files in another directory, and let PHP handle the authentication using the native PHP functions (ldap_connect, ldap_bind)? That will make it more flexible.

If I had such a setup, I could probably test if after the authentication, any information is being passed in the headers (you can use Live HTTP Headers or FireBug plugin of firefox to check it for yourself).

this could be the way (I pretend that I understand what I am talking about) indeed...but that would then mean I have to have the IT-support to restart the server right? I have to also make changes in php.ini to enable this support as well as copy some files over to the system-directory.... (restart of a server is a big thing they tell me )

I fear I am WAAAY over my head with this....wouldn't I have to give some credentials to the LDAP as well so it knows my app is allowed to query the database?

Yes, well, unless you find a way to make LDAP authorization send the required information in headers (via cookies or similar), all you can do is utilize the php LDAP extension. It actually makes sense to use it.

You do need a user account to access certain parts of LDAP, and what you can read/write depends on the ACL configurations of LDAP (which controls user access in slapd.conf when using openLDAP on linux).

I think you should install phpLDAPAdmin and browse around the trees, and then get onto writing your PHP stuff. With phpLDAPAdmin you will be able to create your users too if you want.

Read this tutorial or search on google for relevant articles:
http://linux.cudeso.be/linuxdoc/ldap.php#Resources (visit the resources too, too much info is right over there)

<?php

$con = ldap_connect("ldap.host.com", 389);
$bind = ldap_bind($con, "uid=username,ou=users,dc=example,dc=net", "mypassword") or die("failed on authorization!");

?>

For enabling this extension, yes it needs a change in php.ini and requires copying of a .dll file into system folder, and a restart is also needed. But this php extension is always good to have.

heee....I think I've got myself a 'good enough' solution...

I use the IIS setting for 'Digest Authentication for Windows domain server'...that seems to work....now I looked through the php-settings...and found SystemVariable that carries the loginname (AUTH_USER)...it's good enough for me to take that variable...write it into a cookie if it tends to expire too soon...then use this id as a premise for my further needs for authentication

Good to know that. hehe, I thought something MUST be passed on, and it was.

Anyways, maybe I was thinking something else, but didn't you want access to user's personal info like phone, email etc. from LDAP?

actually I don't care really....all I wanted to make sure is that they are authorized users from the company perspective....and ideally I wanted to pull the lastname/firstname info from there.....but it really doesn't add any functionality...I can build my authorization-table based on the userid alone ....and if I want to provide more 'personalized' touch to the app I create....I might as well just add columns for first/lastnames in my table...no need to then request approvals from our corporate to be programmatically querying the ldap etc.....

thanks for the help anyway

I've managed to set up a directory for myself there that utilizes 'Digest Authentication for Windows domain server'.
So basically when I try to access a page in that directory, it requires me to give a username and password that is then verified against the LDAP

Could you be so kind to post the code for doing the above?
Many thanks in advance!

(2007-02-27, 09:01 AM)Kimmo Wrote: [ -> ]Since I've got many of times help on my random projects.....why not try this one here as well...Since this has nothing to do with MyBB, feel free to ignore if you wish...I'll try similar question at http://www.experts-exchange.com/ as well probably...

I try to develop some tools for internal use at the office...but I want to obey the security-rules our company has set....

SETUP
------
- IIS6 running on a virtual server (Win2k3)
- CF7MX
- PHP5

I've managed to set up a directory for myself there that utilizes 'Digest Authentication for Windows domain server'.
So basically when I try to access a page in that directory, it requires me to give a username and password that is then verified against the LDAP (I suppose).

I tested it...and if I give incorrect userdetails for our domain, it gives me 401...and if I give the right ones...it shows me the page... So all is fine there...the authentication seems to work...

Now I want to go to the next level...I want my php/cfm/asp -page in this directory also to be able to identify WHO it is that came in to read the page. I can only assume that I need to query the LDAP for that right?
Since the first authentication doesn not store any cookie or anything like that that I could use later for identifying the visitor....how do I do that then?

So what do I need to do in order to have the username/firstname/lastname/employeenumber (all data-elements in the LDAP) usable as a variable on my subsequent pages in that directory? Basically I want to use these variables later in my tools to define personal access-levels.

cheers,
Kimmo

Only 2 years late... not bad!