We have a PHD student here who is writing some excellent program. Basically, in a nutshell it's to track student marks.
Anyway, he was wanting to use LDAP to authenticate users against the active directory. Can anybody give me advice on how to go about this on a Serer 2k3 box?
I've installed WAMP server and have edited the php_ldap extension. This guy knows what he's doing with PHP so I will leave him to worry about getting the code right, but do I need to set up a special user for ldap and if so how or what settings should this user have?
I have only setup LDAP on Netware, but i created a user, who could browse and read the netware tree. I am believe that is all you need unless you want LDAP to change any values. One thing to be aware is that you use secure LDAP otherwise you will be allowing usernames and passwords to flow across the network in plain text
AD doesnt allow annonymous searching so youll have to bind with a proper user, but it can be just that. A user, non-admin/non-special. Good tip ive run into was making that users password not expire, as one day it will expire otherwise and youll scratch your head why ur app has died... or in my case why my LDAP addressBook for all mail clients had become inaccessible.
He doesn't need it now - typical. What he does need though is some way of getting the currently logged on user (this is just going to be used internally) using his PHP script and using this to get the needed data from his database.
You mean he wants to get the name of the currently logged in Windows user from the client machine and pass that to his PHP-based web application? This might help:
Originally Posted by Hightower
Integrated Windows Authentication - Wikipedia, the free encyclopedia
I imagine this will be fiddly with any combination of tools that are not Internet Explorere on the client, IIS as the web server and a VB/ASP.Net/etc web application.
If you enable NTLM authentication on your web server, then the user name will be available to him via the normal HTTP authentication API.
NTLM auth module for Apache/Unix
Or if you are running apache on a windows box take a look at the mod-auth-sspi module.
The username should then be available in a php script by using the server variable $_SERVER['REMOTE_USER']
If anyones curious on a PHP function to validate a user/login combo against LDAP (slightly modified to give you clues as to what variables to change/protect the innocent):
// Date: 26/11/2007
// Author: Friez
// Contains functions for use with LDAP.
// Verifies the username and password with
// LDAP and returns a 1 on success or 0 on
if($user == "" || $pass == "") // blank
$ad = ldap_connect("yourlogonserver"); // throw in your logon server here
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
$fqname = $user . "@yourdomain.local"; // tap in your domain malarky here
$ret = "-1"; // if we end up returning -1 something REALLY insane happened ;)
$bd = ldap_bind($ad,$fqname,$pass);
if($bd == false)
$ret = "0";
$ret = "1";
ldap_unbind($bd); //unbind before exiting the function!
Thanks for that Friez, saves me looking as I'm currently re-coding my PHP helpdesk to use LDAP.
Or you could make use of the standard Pear Auth package, which has support for these:
- All databases supported by the PEAR database layer
- All databases supported by the MDB database layer
- All databases supported by the MDB2 database layer
- Plaintext files
- LDAP servers
- POP3 servers
- IMAP servers
- vpopmail accounts (Using either PECL vpopmail or PEAR Net_Vpopmaild)
- SAMBA password files
- SOAP (Using either PEAR SOAP package or PHP5 SOAP extension)
- PEAR website
- Kerberos V servers
- SAP servers
0o0o great post localzuk -- i was unaware of that list with PEAR. I smell a "thank" on the horizon.