SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    updated

    As some of you may know, I'm new to PHP by a few months. My first real project with it is my companies Intranet. It is entering it's final stages and with it I have a few questions I hope someone is able to answer.

    The bulk of the project has moved to a LINUX box from development on our WIN2K file server. As of right now I have it setup where a user "registers" to use the intranet site by entering his information in a form and populating a database. I then authenticate UID and PWD from the DB. What I'd rather do is to be able to read and authenticate a user against his UID and PWD from the corporate server, thus eliminating the need to maintain 2 databases in 2 spots. I've done some searches on this (both here and over the net generally) and have come up with some answers to my questions. But with some of the answers, I get more questions.

    First of all, one of the problems I have is that I need to authenticate against a win2k server, but the web server is a linux box. So I have 2 basic questions:
    1. how do I authenticate a web user to a site using his UID and PWD from the win2k server.
    2. how do I synchronize or access this UID/PWD information from the linux box.

    The whole idea is that once a user is setup on the corporate server, he also has access to the intranet, which will be available over the net. I don't want to have to maintain 2 or more databases.

    We have been able to access folders & files on the win2k server from linux and make them available to the web. I've read several posts here at sitepoint about how PHP can capture UID & PWD in a global variable, which is what I want/need to do in order to identify a user against a user DB on the web. But I've also read how it is not smart to read the root file from the server with this information.

    So what do I do. How do I set up my site so that in order to gain access to it, the user needs to authenticate UID and PWD and have it access this information from the win2k server while my HTTP server is on linux?????

    See the update for this at http://www.sitepointforums.com/showt...threadid=27672
    Last edited by HotDog; Jul 17, 2001 at 16:17.
    Joe Eliason
    Just a dog learnin' PHP from cat.

  2. #2
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How are the uid and password stored on the windows box? Are they in a database or stored somewhere on the system as a flat file?

    If it's a flat file then you will need to access that file with PHP and use PHP's text functions to figure out the username / password pairs and validate users that way.

  3. #3
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am not a systems guy, so I talked to our NT administrator and he told me that on a win2k server the UIDs and PWDs are stored on a DB in the "active directory" in the winnt folder. The file is NTDS.DIT. He also said that this folder is unaccessible from the outside and it cannot be copied, as far as he knew.

    The guy setting up the Linux server said that the thought that he could access this info from Linux, but doesn't really know how. (We are not a linux shop, we are an AS/400 shop, so this is all kind'a new). One idea we had was to have one of our win2k servers run IIS and have that as the front door to the Intranet. That way, when the user logs on, they could authenticate against the NT network. After logging on, they would then be routed to the linux box for the rest of the site.

    Although this may work, it kind'a defeats the purpose of what we are trying to do. The idea is to not have IIS running and to use Apache and linux to host the Intranet site. But if it's not possible, then we'll have to go to a plan B work-around.

    So...does anyone have any suggestions????????
    Joe Eliason
    Just a dog learnin' PHP from cat.

  4. #4
    SitePoint Wizard
    Join Date
    Apr 2000
    Posts
    1,483
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm afraid it is impossible to access NT's SAM (Security Accounts Manager) from outside of the local machine. The best you could do would be to follow your last post and have the NT box as a gateway to the Linux one.

  5. #5
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the heads up. I'll see how it works and let you know. Also if I find any other information on how to make it work, I'll let you know.
    Joe Eliason
    Just a dog learnin' PHP from cat.

  6. #6
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK, this is what we have been able to do. We are able to use the NT box as a gateway to the intranet and verify UID and PWD against the corporate network. Once it is verified, the NT box automatically routes the user to the Linux box for the rest. Now, another problem that I'm running into is how do I capture the users UID & PWD at the login so it can be passed on to the Linux box. I need this so I can check the user against a user table in the intranet DB on the Linux box. If I am able to do this, most of my problems are solved.

    Problems are that the NT box is not running PHP, only the Linux box. So can I do this capturing of UID & PWD from the NT box without php running on the box itself. Can I point the NT box to the Linux box to parse the php file, or is there another way to capture the UID & PWD into a variable and pass it on to the Linux box?
    Joe Eliason
    Just a dog learnin' PHP from cat.

  7. #7
    imagine no limitations exbabylon's Avatar
    Join Date
    Dec 2000
    Location
    Idaho, USA
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why not just go pure Linux? Just forget the NT? Just a question.
    Blamestorming: Sitting around in a group discussing why a deadline was missed or a project failed and who was responsible.

    Exbabylon- Professional Internet Services

  8. #8
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by exbabylon
    why not just go pure Linux? Just forget the NT? Just a question.
    I work for a major company in SLC. Our whole office network is run off win2k servers (a file server, email server, help desk server, cytrix servers). Our main server backbone for the web is IBM's as/400 which is difficult to program and I'm just now being trained to program.

    What I have been tasked to do as of lately, as the companies webmaster, is create the corporate Intranet. I have decided the best way of creating this is to use php, to which I'm fairly new and still learning. We are just messing around with the Linux server thing right now and are not really sure that is the platform we will use. We already have IIS running to serve some applications from the web (email and the help desk). It would make no sense, nor is it possible, to drop NT since it is our network backbone within the office.

    What I'm trying to accomplish is to enable it so that I'm not maintaining an employee profile in 2 places. What I would like to be able to do, if possible, is enable our Intranet so that one logs on, using his UID & PWD already setup on the NT network. I then want to be able to capture his login UID so I can use it to create his Intranet user profile from the Intranet database. I want to create the Intranet so that after it's programmed, there is very minimal work on my end to maintain it. If we already have to setup up an user account to allow an employee to access the office network, why not try and use this same information to access the Intranet.

    We've been playing with the Linux idea for basically 2 reasons. One to take some of the strain off the NT network servers since they are already occupied with several other tasks, and two being it seems to run faster and more efficient than IIS. But if push comes to shove, I'll have to go to IIS if Linux is not going to work, since that's what we already have in place.

    I don't know if this helps, but if anyone has any suggestions on how to accomplish the above scenario, please let me know. I like the Linux idea, but I'm beginning to think that staying within the NT framework is the better way to go.
    Joe Eliason
    Just a dog learnin' PHP from cat.

  9. #9
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Could the IIS assign a cookie to the user once they're login, the the UID and PWD's store on the client's side, and making it accessible to the Linux box?

  10. #10
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm... it sounds to me like you're going to end up having to stick with NT. You can run PHP on IIS (as CGI or an ISAPI module) so you'll still be OK on that front - it's just a shame it looks like linux won't be able to authenticate your users from the NT password thingy.

  11. #11
    SitePoint Zealot HotDog's Avatar
    Join Date
    May 2000
    Location
    Salt Lake City, UT
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What I've been trying to do as of lately is try and see if I can read the UID and PWD off the NT server from Linux. As I said, I'm not a systems guy, so trying to explain to our systems people what I'm trying to do and getting them to understand it is kind'a difficult, so I've spent a lot of time the past couple days researching this out myself. And what I've found so far is that with win2k, they have setup a system called the Active Directory which is a directory service. It is written in LDAP which according to www.pcwebopedia.com

    ...LDAP should eventually make it possible for almost any application running on virtually any computer platform to obtain directory information, such as email addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory.
    So from my understanding of this, I should be able to access files from the Active Directory (of which includes the User Login ID and Password to the network). Yes?? No?? Maybe???

    If this is true and I can do this, I can then just have the user login through the Linux server and be able to authenticate against the employees UID and PWD on the NT server. I just need to figure out how to access the Active Directory and read the NTDS.DIT file.

    One reason I really would like to stay within the Linux frame work is that it allows PHP to do more things than IIS does. For example, you are unable to use the $PHP_AUTH_USER, $PHP_AUTH_PW and $PHP_AUTH_TYPE variables using IIS. It only works when PHP is running as an Apache module.

    So, has anyone tried to do this b4 or know how it might be done? If I'm wrong on any of the information above, please let me know.
    Joe Eliason
    Just a dog learnin' PHP from cat.

  12. #12
    Grumpy Mole Man Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interestingly, PHP has a full set of LDAP functions. CHeck this out:

    www.php.net/ldap

    You might also be interested in this LDAP tutorial on PHP Builder:

    http://www.phpbuilder.com/columns/dstanley20010206.php3


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •