[KLUG Programming] Converting to LDAP authentication with PHP

[Adam Williams]

> I've got a web app that currently stores authentication and minimal access 
> control in a mysql database. I want to change this app to authenticate against 
> my LDAP server (Novell eDirectory). 

Good man.

> I've written code to successfully connect 
> to LDAP, but I'm trying to understand how I need to approach actually doing 

Are you binding with a user name / password or anonymously?  If your
connecting aren't you in essence already authenticating?

> something once authenticated. I'm not normally a programmer...but I am playing 
> one today.

Role Playing, a noble passtime.

> My dilemna: I can't have just anyone with an LDAP password connect and get 
> into this app. So either I need to extend my schema (probably not going to 
> happen here) or I need to still track user info somehow.

Can't you control access via group membership?  Say your in group
"tonysappadmins" so you get admin rights, otherwise, squat?

> So I'm thinking I still need a username stored somewhere in the mysql database 
> if I can't extend schema. Here's one psuedo code idea (remember I'm not a 
> programmer by trade!):
> (begin pseudo code)
> authenticate against LDAP;
> if (successful LDAP authenticate)
> { 
>    connect to mysql db with a different (hardcoded) password, which is the 
> same for all users;
>    if (successful mysql authenticate)
>    { populate variables, set cookies, etc; }
>    else { die with appropriate message }

I guess I'm missing what bits your pulling from the MySQL database. 
Just the administrator flag?

> The idea behind all of this is to let the users have one password to remember. 

Yea!

> (Isn't it always about the users? :) 

No, sometimes it is about management.  I'm not certain which is worse. 
This week I'm going with management.  Ask me again next Monday.