PHP/LDAP Authentication Using a VPN

Question

Hello all,

I have an interesting situation, and Google doesn't appear to have any information regarding the issue.

I develop a web-based software written in PHP. Most of our clients have some sort of CAS server setup for authentication, and we simply point our site at their authentication server. We have a new client that does not have a CAS server, so I told them we could use LDAP, preferably with SSL (LDAPS). I'm not sure if they have the ability to do LDAPS, but the real problem is that (at the moment) they require the LDAP connection to be on the same network, thus, I would need to connect to their VPN first, and then query their LDAP server.

Now, I'm sure that I could make the VPN connection on our server, and have all traffic directed through that, but that would create a single point of failure for all of our clients and would be totally out of our control; so this really isn't an option.

I could probably find a way to make a connection, authenticate the user, then release the connection; but that seems like a poor choice that would take a long time.

So, does anybody know if I can (a) open a VPN connection in only PHP and then use that connection to connect to the LDAP server or (2) somehow code PHP/configure my server so that only requests to the LDAP server use the VPN and all other requests use the default Internet connection?

I'm really a bit lost as to a good way to do this, any help would be greatly appreciated. Thanks very much!

Answer 1

Is there an SSH server at the client end? If so, perhaps you could arrange with the client to tunnel the connection through to an SSH server at their end. You could then ask your application to open the SSH tunnel just before it authenticates, and close it when it's done, similar to VPN.

You could possibly do this with VPN depending on the underlying OS. Either way is not going to be pretty and going to be lacking in performance. Also either way, the tunnel is going to be available for all applications on the server to use while it's open.

If this were me, I would write a webservice to do the authentication, set up an agreement with the client to host this for me, and relay all authentication attempts to the web service. You would ideally set this up to use HTTPS as well.

Depending on the network set up between your application and your client, and how much control you both have over your networks, your client may be able to route requests from one of your IPs through to their network - we did this once with a third party. We needed access to one of their services on a private subnet, and because we were both with the same ISP we reached an agreement that the ISP would configure and maintain the routing so we effectively got a completely private tunnel.