Authenticate against ldap using PHP, active directory, while using IE/Firefox

Question

This code below checks for the user's credentials against ldap

<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;

$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");

if ($ds) 
{
    $username = "[email protected]";
    $upasswd = "pass";

    $ldapbind = ldap_bind($ds, $username, $upasswd);

    if ($ldapbind) 
        {print "Congratulations! $username is authenticated.";}
    else 
        {print "Access Denied!";}
}
?>

My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.

I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.

Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?

Answer 1

Working just now on a similar setup: I skipped all of that LDAP stuff having the web server authenticating the client with AD before letting him in (sorry, I can't remember what's this called in the M$ alternate universe).

If the client reaches the PHP script he's in AD and I have his username both in $_SERVER["AUTH_USER"] and in $_SERVER["LOGON_USER"], otherwise he never gets to the script.

Answer 2

You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.

The key word here is Integrated Windows Authentication - that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.

If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberos or NTLMSSP depending on what your client and server is capable of processing.

As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. You ony have to adjust a configuration option to turn on that feature - don't know if this information is still valid with Firefox 3.5.x.

If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication-like system. Possible options are (don't know whether they are actually still maintained or stable):

• mod_auth_ntlm_winbind
• mod_auth_kerb
• mod_ntlm

For Apache on Windows there are:

• mod_ntlm (outdated; not the same as mod_ntlm above)
• mod_auth_sspi (successor of mod_ntlm)

Please be aware that most of these modules seem to be very old.