Hi everyone. I am a noob to LDAP and I have a question.
I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed.
I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client.
So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed.
No other actions or information from the LDAP server is needed.
Do I have the right idea?
thanks
Check this out :)
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
On Tue, Jun 22, 2010 at 01:37, Bryan Boone v_1bboon@yahoo.com wrote:
Hi everyone. I am a noob to LDAP and I have a question.
I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed.
I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client.
So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed.
No other actions or information from the LDAP server is needed.
Do I have the right idea?
thanks
On Tuesday, 22 June 2010 00:37:41 Bryan Boone wrote:
Hi everyone. I am a noob to LDAP and I have a question.
I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed.
I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client.
So my question is??? Is an LDAP client to be run as a Daemon or service?
No daemon is necessary.
Is this what OpenLDAP provides?
OpenLDAP provides libraries, a server, and some commandline client utilities.
Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Yes, you can use php_ldap or similar, or you can have your application rely on the web server to do the authentication. Apache has an authentication module for LDAP.
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed.
No other actions or information from the LDAP server is needed.
Well, you said you need to "make sure that the user is indeed a user of the website". Are all users in the LDAP directory users of the website? If not, you may need a little bit more ...
Regards, Buchan
Bryan,
Frankly though, I wonder if OpenLDAP is the right solution for your problem (see OpenID or perhaps just something simple setup in MySQL - [encrypt those passwords! ><] - which you're likely using /anyway/), but moving on...
Apache has pretty good LDAP support - I use it control access to our Subversion repo base:
<Location /svn> DAV svn SVNParentPath /svn SVNIndexXSLT "/svnindex.xsl" SVNListParentPath On SVNReposName " Subversion Repository" SVNAutoversioning On AuthType Basic AuthName " Subversion Repository" AuthBasicProvider ldap AuthzLDAPAuthoritative Off AuthLDAPURL "ldaps://ldap-vip.corp.example.net:636/DC=example,DC=net?uid?sub?(objectClass=*) AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off require ldap-group CN=repos,OU=groups,DC=example,DC=net </Location>
(I have further defined groups/access for each repo underneath /svn)
But this is starting to step "Off Topic" - this is just Apache + SVN (via DAV). I'm fairly certain PHP's level of support would be about the same if not better.
Once you've got OpenLDAP up and running and can do basic stuff via ldapsearch/ldapadd/etc, then move on to getting PHP code to work.
Good luck! - chris
PS: http://php.about.com/od/finishedphp1/ss/php_login_code.htm has a decent article that would seem to apply. It doesn't use ldap in any flavor, but if this user db will only be used by PHP, then it would seem appropriate.
-----Original Message----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org [mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of Buchan Milne Sent: Tuesday, June 22, 2010 1:19 AM To: openldap-technical@openldap.org Cc: Bryan Boone Subject: Re: Simple question about LDAP and web authentication.
On Tuesday, 22 June 2010 00:37:41 Bryan Boone wrote:
Hi everyone. I am a noob to LDAP and I have a question.
I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed.
I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client.
So my question is??? Is an LDAP client to be run as a Daemon or service?
No daemon is necessary.
Is this what OpenLDAP provides?
OpenLDAP provides libraries, a server, and some commandline client utilities.
Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Yes, you can use php_ldap or similar, or you can have your application rely on the web server to do the authentication. Apache has an authentication module for LDAP.
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed.
No other actions or information from the LDAP server is needed.
Well, you said you need to "make sure that the user is indeed a user of the website". Are all users in the LDAP directory users of the website? If not, you may need a little bit more ...
Regards, Buchan
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Hi Bryan, The ldap client does not need to be run as a daemon or service. A LDAP server provides a standards based protocol which you can use to access information stored in a LDAP database so a api call via php or whatever will get you the information you require regardless of the type of LDAP server.
It might be worthwhile to investigate how connections are handled by PHP. What I mean is that if your web app is going to do a high volume of authentication then it might be more effective to keep an connection open rather than creating a new connection for each authentication request.
Regards
From: openldap-technical-bounces+gerrard.geldenhuis=betfair.com@OpenLDAP.org [mailto:openldap-technical-bounces+gerrard.geldenhuis=betfair.com@OpenLDAP.org] On Behalf Of Bryan Boone Sent: 22 June 2010 00:38 To: openldap-technical@openldap.org Subject: Simple question about LDAP and web authentication.
Hi everyone. I am a noob to LDAP and I have a question.
I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed.
I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client.
So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed.
No other actions or information from the LDAP server is needed.
Do I have the right idea?
thanks
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
On 22/06/2010 01:37, Bryan Boone wrote:
Hi everyone. I am a noob to LDAP and I have a question. I am on a team that is building a special server. This server will be running linux with an apache web server with PHP and apache is running a special website that we designed. I need to have the website be able to query LDAP servers for web authentication. So when a user connects to this special web server, they are prompted for a user name and password. Then I want to have the website check the LDAP server to make sure that the user is indeed a user of the website on our special server. So in a sense our special server will be an LDAP client. So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication? Basically all I need is... The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server. The web grants or denies access. The LDAP server connection is closed. No other actions or information from the LDAP server is needed. Do I have the right idea?
Apache does all this for you. See: http://httpd.apache.org/docs/2.1/mod/mod_authnz_ldap.html
Jonathan
Bryan,
Bryan Boone schrieb am 22.06.2010 01:37 Uhr:
So my question is??? Is an LDAP client to be run as a Daemon or service? Is this what OpenLDAP provides? Or can I simply use function calls (from PHP or C) from the OpenLDAP library for the authentication?
Just search the web for "php ldap". It is pretty basic (if you have the openldap server up and running for authentication).
Basically all I need is...
The user brings up the web page. The user enters in the user name and password. The server uses PHP or C to check to see if the entered information matches an LDAP server.
This is ldap bind.
Marc
openldap-technical@openldap.org
-
Benjamin Griese -
Bryan Boone -
Buchan Milne -
Chris Jacobs -
Gerrard Geldenhuis -
Jonathan Clarke -
Marc Patermann