Automatically Authenticate to Active Directory w/PHP 1

[digatle]

This is a relatively simple question but I'm lost as to how to do something like this or even if it is possible.

I have an Active Directory and am currently designing a simple php page. All I my index.php page has is the following:


=====================
<php
include 'menu.php'
?>
=====================

Since this is for our intranet my question is this. Is there a way for us to authenticate automatically since someone is already logged into the system and when they go to the site it takes them to their own &quot;group&quot; menu?

For instance I'm in the IT group. There are 20 other people in the IT group. When we launch our browser and go into our intranet it looks at who we are and says 'itmenu.php'.

We also have an administrator group. There are 3 of them. They belong to the ADMIN group. When they launch the browser and go to the intranet is says 'adminmenu.php'.

Is this possible?

Digatle

 

[sleipnir214]

When you say &quot;since someone is already logged into the system&quot;, does that mean the user has already authenticated to the website?

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[digatle]

No not to the website. When they log into the computer. I want it so that they don't have to put in their userid and password again since they just logged into the system. So when I come to a computer anywhere at our office and open the intranet up it automatically sends me to my menu.

If it would be easier what I can do is say something like the following:

Make four groups:

IT
SALES
MANAGEMENT
ADMIN

If I logon (I'm IT) I goto /it
If someone in Sales is logged on to the computer they goto /sales

But another step in this is actually I would like it to block them if say someone in SALES goes into the MANAGEMENT menu it forbids them.

Oh, and the admin is simply if user is apart of the ADMIN group give them an admin-block (as an include).

Digatle

 

[sleipnir214]

Unless I'm mistaken, your browser isn't aware of network logins that take place outside of the browser.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[digatle]

So I could do it if they just logged into the Intranet with their browser? That's what they &quot;don't&quot; want to do. Now what about this then:

If I say &quot;logon&quot; to the intranet can they use their logon userID and pwd for authentication or will they have to do the full AD name? Could we also possibly utilize cookies so that since we do roaming profiles the cookie stays with them until they delete the cookie and they have to logon again? If so, how would I code it so that based on their login I could say goto /it or /sales. Also keep in mind SALES can't access IT.

Digatle

 

[digatle]

Wait one other thought:

What if I setup so that the IE Homepage is /IT and /SALES for the individual group and use ldap to keep people out that way?

Digatle

 

[sleipnir214]

It's still first a matter of getting credentials in the right place. IE may have some ill-conceived &quot;feature&quot; whereby it can provide MS-network login credentials to a web browser -- other browser for sure won't. Or there may be an browser plugin. I don't know. In any regard, that's a browser question, not a PHP question.

After that, PHP can check credentials against Active Directory using LDAP.

Or perhaps you can just let your web server handle security.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[digatle]

While at lunch I was thinking the same thing. Here's what I need to figure out in PHP then.

Goto a logon page. Based on your login goto your page. How do I do this?

Digatle

 

[sleipnir214]

First, authenticate the user credentials against Active Directory using PHP's LDAP functions. One PHP user-defined class that might help is here:

http://www.markround.com/ldap.html

If the credentials match, you then need some way to match the user to the appropriate group. You might be able to get that from Active Directory (if even you have it available there) or you might create some method specific to your site.

Once you know the appropriate information which should be displayed, output it.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!!

 

[skiflyer]

sleipnir

Thanks for the link to the LDAP class... was looking for something just like this.

-Rob

 

[shadedecho]

I used to work for a huge global computer maker (who's name will be kept secret), and they had an intranet system where the webpage automatically had you &quot;logged in&quot; based on your windows login information. I think I only ever tested that on IE... and I think the pages used ASP. But there must be some sort of connection between the browser and the OS to get those credentials in.

i would be very interested in how this might be accomplished with PHP. many of my former employers have wanted PHP based intranet portals that were auto-logged in based on their computer logins. would be VERY nice to know how that was done.

 

[JediDan]

Well, I know this thread is old but in response to the last posted message, ASP does have a function to retrieve the Windows logon user name. You just call [tt]Request.serverVariables("Logon_User")[/tt].

I would love to have something like this in PHP. It would be useful for intranet sites where security is less important than convenience.

Any new ideas or thoughts on the subject are welcome!