[FX.php List] [OFF] SSO from another site, via LDAP w/ AD...

Joel Shapiro mail at jsfmp.com
Wed Oct 22 12:11:06 MDT 2014


Wow.  Who knew?  ;-)  

Thanks Steve!!  I now have less ignorance on these matters than I did two days ago.

Thanks for the all the help.

-Joel


On Oct 22, 2014, at 10:45 AM, Steve Winter <steve at bluecrocodile.co.nz> wrote:

> Howdy
> 
>>>> I'm checking now if we can get the AD Group memberships passed along through the LDAP server to ExternalSite.  (Great idea, thanks!)
>>> 
>>> Welcome :-) Even if they can’t provide you with that information, then you can find it yourself once you know who they are, by asking the AD for that information as part of your hand-over from ExternalSite.
>> 
>> [JOEL] : Are you saying that we can get Group memberships for a user out of AD just from the username, even if we don't have the user's password?
> 
> I am…! So long as you have another account which can bind to the AD, and which has sufficient privileges to perform queries. A while back I implemented a PHP-based system which was able to create and modify users within AD, which included performing queries to determine if the user already existed, which groups they were in, and making changes as required, either creating the user and then putting them in groups, or changing the groups they were in based on the newly requested permissions.
> 
> If user you bind to the AD with (i.e. login with) is a member of the Domain Admins group, then they can perform queries. In my code (which extends adLDAP) I have this function
> 
> 	private function _ldapAuth($get, $post, &$session) {
> 	 	$req						= array('username', 'password');
> 	 	try {
> 	 		$this->_validate($req, $post);
> 			return $this->user()->authenticate($post['username'], $post['password']);
> 	 	} catch (adLDAPException $ex) {
> 	 		throw new Exception($ex->getMessage());
> 	 	}
> 	 }
> 
> 
> Which logs in using a Domain Admin account, and results in the class variable $user being an authenticate user object.
> 
> Then when I want to find out about another user I can do this
> 
> 	private function _ldapUserInfo($get, $fields, &$session) {
> 		$req						= array('username');
> 		try {
> 			$this->_validate($req, $get);
> 			$info					= $this->user()->info($get['username'], $fields);
> 		} catch (adLDAPException $ex) {
> 			throw new Exception($ex->getMessage());
> 		}
> 		return $info;
> 	}
> 
> Which results in the local variable $info containing details of the user identified by the ‘new’ username.
> 
> And I also have
> 
> 	private function _ldapListUserGroups($get, $attr, &$session) {
> 		$req						= array('username');
> 		try {
> 			$this->_validate($req, $attr);
> 			$list					= $this->user()->groups($get['username']);
> 		} catch (adLDAPException $ex) {
> 			throw new Exception($ex->getMessage());
> 		}
> 		
> 		return $list;
> 	}
> 
> Which returns the list of groups which the username is a member of.
> 
> Note that in the first two functions ’username’ is the username of my Domain Administrator, but in the second two function username is the username of the person we’re interested in knowing information about.
> 
> HTH
> 
> Cheers
> Steve
> 
> 
> 
> Steve Winter
> +44 777 852 4776
> steve at bluecrocodile.co.nz
> 
> 
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20141022/019c8286/attachment-0001.html


More information about the FX.php_List mailing list