Transparent Active Directory Authentication with PHP+LDAP

jon3k

[before you flame, yes, I've done pretty extensive searching on the topic!]

The overall goal here is to restrict access to certain resources on our intranet website based on the groups to which a user belongs in a windows active directory domain.

From what I can tell, LDAP would be the best way to do it, and I don't see any problems there. Seems pretty straight forward: connect, bind, execute something, disconnect.

What I want to know is if there is anyway to performan transparent authentication, so it will use the current users login credentials to authenticate against the active directory domain. Or should I use NTLM authentication as opposed to authenticating via LDAP queries.

I'm trying to avoid users having to log in twice ... they have enough trouble logging in once, trust me 😃

maxpup979

Yes, you can authenticate against another domain using the authentication credentials of the current domain--We do it all of the time--since the user is logged into your domain, you already know their username and password, right?...pass those into the next LDAP domain (assuming that they are synched up), and if it doesnt return an error, you are set...

jon3k

Well, actually, the domain controller knows the credentials, not the webserver, and theres my problem.

How can I ask the domain controller the username of the currently logged in user, so I can query the active directory domain for the group to which that user belongs?

Already got smb setup and configured on the webserver (redhat9+apache+php), and it will already authenticate against the domain. So, both the webserver and the client will both be a member of the same domain.

Any idea how I can get that information from the domain controller?

jon3k

Bump - Anyone got an ideas? 😕

maxpup979

Im not sure if you can...You may need to rethink the way this is set up. I am also not sure how some of these interactions are occurring--Are you NOT validating the user through apache? Can you explain the user process in all of this...that may be where I am getting confused