Home > Archive > PHP Language > May 2006 > PHP on Linux getting logged in user name
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PHP on Linux getting logged in user name
|
|
| Sam Alexander 2006-05-19, 6:58 pm |
| Hello,
We use a Windows 2003 Active Directory network at work, and I'd like to
write some PHP apps that will get the user's domain username from their
computer and disallow anonymous access. This way I can assign access based
on their logged in name and not mess with passwords in the applications.
Is this possible? What if I used PHP with IIS on Windows instead of using
Apache on Linux?
Thanks ...
Sam
---
Sam Alexander - sam.alexander(at)sidebandbbs(dot)com
icq: 5386757 [] AIM/Y!: samalex1701 [] Skype: samalex01
Jabber: samalex/sidebandbbs.com [] MSN: samalex@gmail.com
"Data is not information, Information is not knowledge, Knowledge is not
understanding, Understanding is not wisdom." -- Cliff Stoll
--- Synchronet 3.13b-Linux NewsLink 1.84
--[SideBand BBS - telnet://sidebandbbs.com]--
| |
| nc@iname.com 2006-05-19, 6:58 pm |
| Sam Alexander wrote:
>
> We use a Windows 2003 Active Directory network at work, and I'd like to
> write some PHP apps that will get the user's domain username from their
> computer and disallow anonymous access. This way I can assign access
> based on their logged in name and not mess with passwords in the
> applications.
>
> Is this possible?
Define "this". Is it possible to have the same set of credentials for
local network and Web applications? Absolutely (read up on LDAP
functions in PHP). Is it possible to avoid double login (first,
logging into a workstation, then, into an application)? Probably not,
unless you have a custom client.
> What if I used PHP with IIS on Windows instead of using
> apache on Linux?
Doesn't matter. The problem is not in the Web server, it's in the
client. You can devise an application that will implement
authentication based on Active Directory (unless Microsoft severely
messed up its LDAP implementation, that shouldn't be a problem). The
real problem is that a browser has no idea on what machine or under
which user name it is running, so it has no way of automatically
supplying credentials to the server...
Cheers,
NC
| |
| ZeldorBlat 2006-05-19, 6:58 pm |
|
Sam Alexander wrote:
> Hello,
>
> We use a Windows 2003 Active Directory network at work, and I'd like to
> write some PHP apps that will get the user's domain username from their
> computer and disallow anonymous access.
This part is pretty easy (I just did it a w or so ago). The quick
and dirty way to check a username and password against Active Directory
(assuming you already have the username and password):
$username = 'joe.user@company.local';
$password = 'mypasswd';
$domain_controller = 'mydc';
if(($ldap = ldap_connect($domain_controller, 389)) !== false) {
if(ldap_bind($ldap, $username, $password) !== false) {
//the username and password was correct
}
else {
//the username and password was not correct
}
}
>This way I can assign access based
> on their logged in name and not mess with passwords in the applications.
>
> Is this possible? What if I used PHP with IIS on Windows instead of using
> apache on Linux?
>
> Thanks ...
>
> Sam
>
How you get the username and password is up to you. If your clients
are on the Windows domain and using IE, you can specify through group
policy that the username and password should be automatically sent to
websites on the "intranet" zone. So, when clients go to your website,
their Windows credentials will be visible in some PHP $_SERVER
variables. You'll still need to handle clients that don't
automatically send the info. I usually do something like this:
if(empty($_SERVER['PHP_AUTH_USER']) || empty($_SERVER['PHP_AUTH_PW']) )
{
header('WWW-Authenticate: Basic realm="company.local"');
header('HTTP/1.0 401 Unauthorized');
die(); //if they hit cancel
}
Then you can grab the username and password from
$_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW']. Make sure the
realm ('company.local' in the example above) is set to your Windows
domain. It's this realm that let's Windows know to use your domain
credentials.
| |
| Colin McKinnon 2006-05-20, 6:57 pm |
| nc@iname.com wrote:
> Sam Alexander wrote:
<snip>[color=darkred]
>
> Doesn't matter. The problem is not in the Web server, it's in the
> client. You can devise an application that will implement
> authentication based on Active Directory (unless Microsoft severely
> messed up its LDAP implementation, that shouldn't be a problem). The
> real problem is that a browser has no idea on what machine or under
> which user name it is running, so it has no way of automatically
> supplying credentials to the server...
>
Actually, that's not true.
NTLM is a propretary solution but with open-source implementations. It will
only work with MSIE or a recent Firefox running on a MS-Windows platform
though. There's an apache NTLM module. Try Google for more info.
A far better solution is to use client side SSL certificates - that's what
they were designed for and its not tied to a particular vendors current
technology.
(If its a non-mission critical thing in a trusted network you could use
ident - see the Squid proxy website for more details - but don't expect it
to be secure).
C.
|
|
|
|
|