Determine Windows user that is logged on

epitomy

Hey Folk,

I've been trying to implement an automated LDAP authentication for Windows & Novell. I have the authentication working, and am able to do whatever I need to do with the Novell tree.

The only step remaining, is to actually detect a user's logon name. From the webserver (IIS & PHP 4.3.2), is there any way to pass in the client's logon name - as it's stored in windows in the following environment variables:

USER=smarch
USERNAME=smarch
NWUSERNAME=smarch

I realize there is a REMOTE_USER variable, but that only seems to work with HTTP Authentication.

Any ideas? Can I actually pass my own client enviornment variables to the server ?

~Steve

Mordecai

I'm not exactly sure what you mean. You can set, reset, and erase all environment variables as you please, but they're reset with every file opened. If you wanted to pass a variable, you can use $GET, $POST, or $_SESSION. If you're attempting to avoid using a browser, you can still send HTTP GET/POST to the http server.

epitomy

Sorry for the confusion.

I have a Windows 2000 Client, accessing the web-server. I would like the client to access a page, and have it know what Windows account was currently logged on the client.

There are several environment variables on the client that contain this information, however, the server only has access to it's own Environment variables.

I hope that's a little more clear in what I'm trying to do 🙂

Cheers,
~Steve

sharapov

epitomy,

Were you able to solve your problem? I am trying to do the same thing you are doing, but I don't know how to get user's name from the loged in workstation and pass it to the LDPA server (Active Directory) for verification. What I want ultemately to happen is to display one page if user belongs to a sertain group in Active Directory and some other page if user belongs to some other group. If you have a solution can you post it here, or contact me. Thanks.

epitomy

Sharapov,

Here's an example of the code I used to see if somebody belongs to a certain group. This is using PEAR's db_ldap2 extension .. I find it very handy. You can tell if somebody is part of a group very easy ... depending on your ActiveServer setup, you may not require an encrypted SSL link (for mine I did for authentication). If you do not require the SSL link, you can pass $user:$password@ (in front of the $server part of the DSN).

HTH
~Steve

PS -> Still haven't been able to detect the user logged in, I figure I'll get them to log on the first time, and set a cookie with the md5 encrypted version of their password. Each time they reach the page, check the password & user with the LDAP server. If it changes, require them to log on again.

<?php

// #################################
// (@Author): Stephen March
// (@Date): July 3, 2003
// (@Description): LDAP query to see if a user belongs to the IACB group
// ######################################

require_once 'DB.php';

// ---------------------------------------------------
// Values for the LDAP Connection & Query.   Only
// modify these if you know what you are doing!
// ---------------------------------------------------
$server = "serverIP";
$base_dn = "ou=my_group,o=my_org";
$attrib_list = "";
$scope = "scope_one";
$filter = "cn=myname";

// ------[Create connection, and connect]=---------
$dsn = "ldap2://$server/$base_dn?$attrib_list?$scope";   

$ldap = DB::connect($dsn);

// ------------------------------------------------
// Quick and dirty error handling, just fail if 
// there's a problem, no need for an error message
// ------------------------------------------------
if (!DB::isError($ldap)) 
{
	$result = $ldap->query($filter);
	$row = $result->fetchRow(DB_FETCHMODE_ASSOC);

// ----------------------------------------
// Loop through each of the attributes
// ----------------------------------------
 while(list($attribute,$value) = each($row))
 {
   switch($attribute)
   {
     case "dn":
         $org = split(",", $value);
         $branch = str_replace("ou=","",$org[1]);
         break;

     case "sn":
     case "givenname":
         $fullname .= $value . " ";
         break;           
   }
   $found=true;
 }
}

$ldap->disconnect();

// ---------------------------------------------
// Display results, set cookies, whatever
// ---------------------------------------------
if(!$found)
  echo "Sorry, user not found!";
else
  echo "$fullname is a member of $branch<br/>"; 
?>

ksandom

I remember assisting someone with this sometime ago. The solutions available depend on your setup. Have a look at this. My post is at the bottom and should point you in the right direction.

What browser are you using?
Javascript will be the universal(ish) solution, vbscript might be a little easier.