[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 806
  • Last Modified:

PHP login page to authenticate against active directory

Hie Experts

I have php with ldap enabled on IIS7,
I have the school intranet with icons to different web applications which when users click they are taken to the login page of the web application where they have to supplu their active directory username and password
web application list:
-googleApps,
-moodle,
-etc

Now what I want is to create a php login page that has a form that will authenticate users against active directory credentials. when user supplies wrong username and password they should see a message displayed "please enter corrent username or password" and is user is authenticated they should be redirected to the intranet page and when they click an icon to a web application they should be automatically logged in since they would have supplied correct username and password on the php login page. so this php login page should essentially store/hold the user credentials and push them to other web applications

can I please have detailed  php code to do this and information on how I can  get other web applications to use this php login page as the login page instead of the web application's default login.

waiting hear your quick responds experts
thanks
0
TePukeHighSchool
Asked:
TePukeHighSchool
  • 4
  • 3
  • 3
1 Solution
 
Ray PaseurCommented:
I cannot help with the LDAP part, but I can show you the general design pattern for PHP client authentication.  Your task would be to remove the calls to the data base and substitute the calls to the LDAP authentication.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
mrh14852Commented:
If your server is joined to the domain then IIS7 does this natively.  Just enable AD authentication in IIS7, no PHP code required.  It will also prompt if the user/pass is incorrect.

However if you want to do further LDAP info lookups you can grab the user name and do the lookups with simple code like this.

<?php
$user_creds = $_SERVER['AUTH_USER'];
   if(preg_match('/\\\\/',$user_creds)){
       $user_info = explode('\\',$user_creds);
       $user_domain = $user_info[0];
       $user_name = $user_info[1];
   }
   else {
       $user_name = $user_creds;
   }
doLDAPLookup($user_name);
?>

Open in new window

0
 
TePukeHighSchoolAuthor Commented:
@Ray_Paseur, thanks for the reference I will look into it and get back. but I want to push credentials to other web application?? so how does your codes do that?? Question though...

1)using your solution, I will need the
- config page which will do the connection to database.
- login page where users will supply active directory credentials.
- logout page that user will view when they log out.

2)are these all the pages I need to do authenticate users?
3)so after  I authenticate users how can I make the users to be redirected to the intranet page?
4)also how do I make the loggin page to push the login credentials to other web applications??


@mrh14852, thanks for help, I have Questions
1) when you say just enable AD authentication in IIS7 what do you mean? do you means windows authentication??
2)in light of your answer above, does the intranet and moodle need to be hosted on the same server in order to doo what you said?? what if I am using a clean server with nothing on it and all i want is to use it to create authentication on  behalf of other web applications? please explain clearly
3)please further explain your answer and inform the setup in regards to your answer and how it will all work.

thanks
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
mrh14852Commented:
1) Enable Windows authentication but your server needs to be joined to the domain.

2) No.  Once your are enabled then it doesn't matter where you go from there however I highly suggest you look into the use of PHP sessions.  This way once the user is authenticated you can store username and password in a session and use it anywhere.

3)  There is no setup really...just enable windows authentication in IIS.
0
 
Ray PaseurCommented:
The config, login, and logout page are all in the article.
0
 
TePukeHighSchoolAuthor Commented:
@Ray, thanks for the reply. yes I know you have all those pages on your article, my question was since I am using ldap I will need just those 3 pages?
also you did not answer questions 3 & 4, would you mind answering those please.....?  

##################################################################################
@mrh14852, thanks for the reply.
your answer 2, when you say php session do you mean using a form with a session???? sorry can you clearly explain how I can go about that, if possible attach a sample code and fully explain step-by-step because I am left with more questions than answers. thanks
answer 3, if I set up windows authentication on IIS then what after that? I thought that only works for sites that are listed under websites in IIS7?? I think I am confused... I have more questions than answers. Please take some time to fully explain what you mean by your answers and give me step-by step  what I have to do in regards to the question I have asked above. how will enabling windows authentication on IIS7 make websites hosted on different webserver use the windows authentication on my server. if I use php session how do I write the script and where should I store it [obvoisly in intepub\wwwroot on my web server] and what relation will the script have with other websites. please explain fully and clearly. thanks
0
 
mrh14852Commented:
You explained it yourself in your original question.  You want them to go to a "login page" to authenticate with AD and once authenticated then they can go to their other sites.

You don't need any PHP code for this...you don't even need LDAP.  Just add your server's comupter to AD and in DNS and join it to the domain.  Enable windows authentication in IIS and that's it...no other configuraiton required.  The user will have no choice but to authenticate with your web server and it will only allow users in the domain.
0
 
Ray PaseurCommented:
I do not know the answers to questions 3 & 4.  I think if I were facing this challenge (single sign-on for different applications in different entworks) I would need to set up some kind of authentication hook for each app.  It's probably a big enough task that you might consider hiring a consultant to help.
0
 
TePukeHighSchoolAuthor Commented:
ok
thanks
0
 
TePukeHighSchoolAuthor Commented:
thnks
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now