[FX.php List] [OFF] SSO from another site, via LDAP w/ AD...

Wed Oct 22 11:45:11 MDT 2014

Howdy

>>> I'm checking now if we can get the AD Group memberships passed along through the LDAP server to ExternalSite.  (Great idea, thanks!)
>> 
>> Welcome :-) Even if they can’t provide you with that information, then you can find it yourself once you know who they are, by asking the AD for that information as part of your hand-over from ExternalSite.
> 
> [JOEL] : Are you saying that we can get Group memberships for a user out of AD just from the username, even if we don't have the user's password?

I am…! So long as you have another account which can bind to the AD, and which has sufficient privileges to perform queries. A while back I implemented a PHP-based system which was able to create and modify users within AD, which included performing queries to determine if the user already existed, which groups they were in, and making changes as required, either creating the user and then putting them in groups, or changing the groups they were in based on the newly requested permissions.

If user you bind to the AD with (i.e. login with) is a member of the Domain Admins group, then they can perform queries. In my code (which extends adLDAP) I have this function

	private function _ldapAuth($get, $post, &$session) {
	 	$req						= array('username', 'password');
	 	try {
	 		$this->_validate($req, $post);
			return $this->user()->authenticate($post['username'], $post['password']);
	 	} catch (adLDAPException $ex) {
	 		throw new Exception($ex->getMessage());
	 	}
	 }

Which logs in using a Domain Admin account, and results in the class variable $user being an authenticate user object.

Then when I want to find out about another user I can do this

	private function _ldapUserInfo($get, $fields, &$session) {
		$req						= array('username');
		try {
			$this->_validate($req, $get);
			$info					= $this->user()->info($get['username'], $fields);
		} catch (adLDAPException $ex) {
			throw new Exception($ex->getMessage());
		}
		return $info;
	}

Which results in the local variable $info containing details of the user identified by the ‘new’ username.

And I also have

	private function _ldapListUserGroups($get, $attr, &$session) {
		$req						= array('username');
		try {
			$this->_validate($req, $attr);
			$list					= $this->user()->groups($get['username']);
		} catch (adLDAPException $ex) {
			throw new Exception($ex->getMessage());
		}

		return $list;
	}

Which returns the list of groups which the username is a member of.

Note that in the first two functions ’username’ is the username of my Domain Administrator, but in the second two function username is the username of the person we’re interested in knowing information about.

HTH

Cheers
Steve

Steve Winter
+44 777 852 4776
steve at bluecrocodile.co.nz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20141022/b7d3ac65/attachment.html