[KLUG Programming] Converting to LDAP authentication with PHP

Tony Gettig programming@kalamazoolinux.org
Tue, 3 Jun 2003 11:00:11 -0400 

Quoting Adam Williams <adam@morrison-ind.com>:

> > I've got a web app that currently stores authentication and minimal access
> > control in a mysql database. I want to change this app to authenticate
> against 
> > my LDAP server (Novell eDirectory). 
> 
> Good man.
> 
> > I've written code to successfully connect 
> > to LDAP, but I'm trying to understand how I need to approach actually doing
> 
> 
> Are you binding with a user name / password or anonymously?  If your
> connecting aren't you in essence already authenticating?

With a username and password. 

> 
> > something once authenticated. I'm not normally a programmer...but I am
> playing 
> > one today.
> 
> Role Playing, a noble passtime.

You bet! Especially when your superiors assign you the role!

> 
> > My dilemna: I can't have just anyone with an LDAP password connect and get
> 
> > into this app. So either I need to extend my schema (probably not going to
> 
> > happen here) or I need to still track user info somehow.
> 
> Can't you control access via group membership?  Say your in group
> "tonysappadmins" so you get admin rights, otherwise, squat?

Great idea! I will try that. Sometimes the obvious still needs to be pointed 
out to the seeker. :)

> 
> > So I'm thinking I still need a username stored somewhere in the mysql
> database 
> > if I can't extend schema. Here's one psuedo code idea (remember I'm not a 
> > programmer by trade!):
> > (begin pseudo code)
> > authenticate against LDAP;
> > if (successful LDAP authenticate)
> > { 
> >    connect to mysql db with a different (hardcoded) password, which is the
> 
> > same for all users;
> >    if (successful mysql authenticate)
> >    { populate variables, set cookies, etc; }
> >    else { die with appropriate message }
> 
> I guess I'm missing what bits your pulling from the MySQL database. 
> Just the administrator flag?

The administrator flag yes, but I also need to store and retrieve username and 
real name values for things like tasks and project managers. But as I think 
through this, I should be able to get all that *from* LDAP and stuff it *into* 
the mysql db. 

If I can get this working, it really opens up a lot of possibilities for web 
apps, which run great on any platform with a web browser (w32, Linux, wireless 
pda's, yada yada). 

> 
> > The idea behind all of this is to let the users have one password to
> remember. 
> 
> Yea!
> 
> > (Isn't it always about the users? :) 
> 
> No, sometimes it is about management.  I'm not certain which is worse. 
> This week I'm going with management.  Ask me again next Monday.

Comprendo! It's users this week for me, at least until school is out. Then it 
will probably be management all summer long!


-- 
Tony Gettig
http://www.gettig.net