SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Addict
    Join Date
    Aug 2005
    Location
    Lithuania, Europe
    Posts
    295
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Windows Server Active Directory

    I may be hired to write a PHP app for a local company and they want me to integrate it with their Windows Active Directory. The app itself will be placed on their own server, the clients (users) will be accessing it from different PCs which are connected to the AD. I am new to this AD stuff, but I do know that I need to use LDAP to communicate with the AD.

    So my app would need to operate (only read, actually) on users and user groups that are present within the company's AD.

    One of the ADs benefits is that it gets rid of multiple user login forms when accessing different apps within the AD, that is, Windows Login is enough to access all the apps without the need to re-enter user's credentials.

    What I need to know is whether it is actually possible to resolve user's identity after he has logged into his windows (AD) account on some computer? I don't want to present the user with a login form to access my app since he would have to type in the same Windows username and password, so it's kind of extra work for the user. If this is actually possible to do, how should it be done? What do I need to use?

    Any help would be greatly appreciated.

  2. #2
    SitePoint Member
    Join Date
    May 2004
    Location
    Belarus
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I know IE has the ability to use system login/pass
    so main problem is to get php working with Active Directory
    http://www.php.net/manual/en/ref.ldap.php
    0
    Looking for any php/mysql related work (remote)
    0

  3. #3
    SitePoint Member
    Join Date
    May 2004
    Location
    Belarus
    Posts
    21
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    IE:
    tools->internet options, shoose security tab, click on custom level button, scroll down, you'll see User Authentication preference
    have a nice day
    0
    Looking for any php/mysql related work (remote)
    0

  4. #4
    SitePoint Addict
    Join Date
    Aug 2005
    Location
    Lithuania, Europe
    Posts
    295
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, I need to store the user's id data in PHP session, and I cannot get this info from IE alone.

    There's also another thing I'm not sure about.

    The app I'd be coding is a learning system, so it will have the usual functionality such as assigning courses/learning material to users or user groups, assessments, various reports... As I mentioned before, the actual users (and user groups) are stored in the Active Directory, so my app would need to work with these 'global' users. But how do I make it possible? Different users in my app will have different permissions and attributes (from the app's point of view) - which are not available in AD user records. Also, say, you need to assign a course to some user. Normally you would just add a new record in the app's db and be fine. But in the case of working with and AD user I can't do the same since the user may be deleted from AD some time in the future and then the app's db would containg invalid data.

    How do I work with AD users/user groups and make sure the data in my app's db is in sync with the users in AD?

    Has anyone of you done something like that with Windows AD and PHP? What were your expriences/problems?

  5. #5
    SitePoint Wizard Ren's Avatar
    Join Date
    Aug 2003
    Location
    UK
    Posts
    1,060
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What OS is the AD running on ? I remember reading about Win 2003 version of AD, that had a application mode, so could store private application data within the AD itself. Which could be one possibility.

  6. #6
    SitePoint Addict
    Join Date
    Aug 2005
    Location
    Lithuania, Europe
    Posts
    295
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They're on 2000. Any advice?

  7. #7
    Don't eat yellow snow spaceman's Avatar
    Join Date
    Mar 2001
    Location
    Melbourne, Australia
    Posts
    1,039
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looking for advice in this area ourselves...

    A few articles on the subject:

    http://www.developer.com/lang/php/article.php/3100951
    http://builder.com.com/5100-6387_14-5032010.html
    http://www.experts-exchange.com/Web/..._21043386.html
    http://adldap.sourceforge.net/ (this php class looks encouraging and is rated 'production/stable' status)

    We've just enabled LDAP support for php on a linux server, and now wish to access the Active Directory on a Windows 2000/3? server on the same LAN.

    This may be a stupid question (because I know so little about the whole LDAP thing at this stage), but what work needs to be done (permissions? LDAP support??) on the Windows server to allow us to communicate with the Active Directory using php via LDAP from the Linux machine?

    Thanks for any guidance in this area.
    Web Design Perth Melbourne .:. Itomic Business Website Solutions
    Drupal Experts .:. Drupalise

  8. #8
    SitePoint Member
    Join Date
    Jun 2006
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    In order to connect to an AD via PHP (assuming you've compiled PHP with LDAP support) you just need to use the following code:

    Code:
    $ldap = ldap_connect("ldap://full.path.to.domain.com") or die("Couldn't connect to LDAP server.");
    
    // Note the use of the @ before the function to supress errors.
    $bind = @ldap_bind($ldap, "Username", "Password");
    
    if ($bind) {
      // Connected so you can do whatever you want to the ldap server now.
    }
    Look at http://us2.php.net/manual/en/ref.ldap.php for loads of info on the subject.

    In terms of the Win AD nothing needs to be modified. Basically, if you bind with Administrator (I don't recommend it unless you have to) you can do whatever you can do whatever you like to the LDAP backend of AD. If you bind with a lower level user you will be limited to their normal access etc.

    I suppose if you simply wanted a login to check if a username and password are correct according to the AD server you could do something like this:

    Code:
    session_start();
    if (!$_SESSION['loggedIn'] && isset($_POST['username']) 
      && isset($_POST['password'])) {
        $ldap = ldap_connect("ldap://domain.com");
        if (ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
          $_SESSION['loggedIn'] = true;
        }
    }
    So basically, nothing to it. Unless you want to add additional data to the AD like ReeD does. As for adding additional 'application' data.... have a look at... http://www.microsoft.com/windowsserv...m/ADAMfaq.mspx

    Hope this helps people.

    Mike

    --

    Michael F Clarke
    MEng Software Engineering
    University of Wales, Aberystwyth
    mfc5@aber.ac.uk


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •