[KLUG Programming] Converting to LDAP authentication with PHP

Tony Gettig programming@kalamazoolinux.org
Tue, 3 Jun 2003 10:30:43 -0400 

Hi all,

I've got a web app that currently stores authentication and minimal access 
control in a mysql database. I want to change this app to authenticate against 
my LDAP server (Novell eDirectory). I've written code to successfully connect 
to LDAP, but I'm trying to understand how I need to approach actually doing 
something once authenticated. I'm not normally a programmer...but I am playing 
one today.

As the app is now, once you're authenticated (from checking username and 
password against the mysql table), you go about your work and any changes to 
the database (it's a project management web app) have your name associated 
with it. Tasks, project ownership, etc. Besides being a valid user of the app, 
the only access control is a flag for administrator. You either are or are not 
an administrator, which just lets you create and remove users. 

My dilemna: I can't have just anyone with an LDAP password connect and get 
into this app. So either I need to extend my schema (probably not going to 
happen here) or I need to still track user info somehow.

So I'm thinking I still need a username stored somewhere in the mysql database 
if I can't extend schema. Here's one psuedo code idea (remember I'm not a 
programmer by trade!):

(begin pseudo code)
authenticate against LDAP;
if (successful LDAP authenticate)
{ 
   connect to mysql db with a different (hardcoded) password, which is the 
same for all users;
   if (successful mysql authenticate)
   { populate variables, set cookies, etc; }
   else { die with appropriate message }
}
else
{ 
   take the user back to the login page;
}
(end pseudo code)

The idea behind all of this is to let the users have one password to remember. 
(Isn't it always about the users? :) Given the scenario though, am I better 
off just having disconnected systems? Or should this really push me in the 
direction of trying to persuade the powers that be to extend the schema?

Any pointers in the right direction are appreciated. 

-- 
Tony Gettig
http://www.gettig.net