PHP - is there any way to get client user name (AD) - php

I am developing a web based tool and planning for a role based access to the tool. Currently all the users who use this tool will access the tool web portal from their laptop after authenticating to it using active directory authentication.
My server side configuration is based on Apache webserver and PHP on an RHEL machine.
So is there any way to get the AD user ID of the user using which he logged into his laptop, so that I can allow him to access only those pages allowed for him.

I think you can use this
$userName= gethostname();

Related

Zend Server - Enable Windows Authentification / NTLM / Apache mod_authnz_sspi

So I have a Zend Server and I'm looking for a way to enable automatic authentification with Windows credentials.
I want to basically have the same result as if you would enable Windows authentification / NTLM on an IIS-Server or if you would install the Apache module "mod_authnz_sspi" on an Apache-Server. After enabling/installing this, both of these methods pass the credentials of the Windows user who is currently logged in to PHP variables.
These variables being: $_SERVER["REMOTE_USER"] or $_SERVER["PHP_AUTH_USER"] which will contain the username. Using getenv("USERDOMAIN") it is also possible to retrieve the domain name.
With these variables set, I was able to achieve a Single-Sign-On solution for applications on my site.
One of these applications is "osTicket". I used the following plugins: https://github.com/osTicket/osTicket-plugins/tree/develop/auth-ldap and https://github.com/osTicket/osTicket-plugins/tree/develop/auth-passthru .
So AuthPassthru will pass the above mentioned PHP variables to the LDAP-Plugin. The LDAP-Plugin will then connect to my Active-Directory server with a service user and look up if the Windows user from the passed PHP-variables is part of the domain. If yes, then the user will automatically be logged in.
The other one is the CMS Joomla. Here I was able to basically do the same thing with the plugins pkg_shplatform, pkg_ldap_sso_core and plg_sso_http. Again I would create a service user to connect to Active-Directory and lookup the user from the variables passed on by the "plg_sso_http"-plugin to then log them in automatically.
I did this on an Apache-server using mod_authnz_sspi.
But now I have to use a Zend-Server and to basically do the same thing there. The goal is to provide a Single-Sign-On solution where users will only log into their Windows account and are then automatically logged into every application on my site with the Active Directory server authenticating them.
If nobody knows a solution to do SSO this way on Zend-Server, if you have any idea on how to do it in a Kerberos way (or any other) that would help, too!

Docker on Apache, how to pass a variable to my PHP web app?

I have a PHP WebApp, built in a Docker Container and hosted on Apache Web Server.
This App is only used internally on intranet, and I'm trying to figure out a way to allow logins based on the Windows Username (Single sign on), but for Apache there are only a few solutions that are outdated.
So what I'm trying to do, I implemented in Docker a Login with LDAP, using this module:
RUN a2enmod authnz_ldap
So when the user tries to access the Web App, a popup will display asking to login.
This all works correctly, my next step, is to pass the Username the User inputs in that popup to my Web Application.
So then, my Web Application will use that username to manage the permissions, showing and hiding parts of the Web App.
So how do I pass that username to my Application? I'm pretty new with docker so I have no clue on how I could achieve this, could someone help me out?
If I understand this correctly the Apache serving your app is inside the Docker container. Then Docker is out of the equation and your question is reduced to How do I retrieve the user information of a user authenticated with Apache's mod_ldap?.

How to auto login a website using windows authentication on intranet?

I am hosting my site on xampp and want to auto login my website using LDAP. So as of now I use PHP to grab the windows current username and try to validate it with AD via ldap and it works.
But since PHP is server sided it only grabs current user of the system in which xampp is running how can I achieve it for every system connected via LAN. If I run it on any other system of intranet it shows the system's name which has xampp running on it.
Is there any way to grab windows current user details on the client side or is there any better and easy way for auto login.
Using the workstation-provided logon name is quite insecure -- there are ways to essentially spoof the logon information. When you trust the workstation's USERNAME value, you don't have any way to differentiate between "lisa logged into her domain named example.com" and "lisa logged into the official company domain named example.com". Possibly even "lisa logged into her computer in the workgroup she happened to name example.com".
Assuming you want users to be able to authenticate without having to enter their credentials, the secure path would be either to use federated authentication or the Kerberos token. If you have ADFS set up, federation auth can be acheived in PHP with Microsoft Graph. If the web server can communicate with the domain controllers, the web server can use Kerberos tokens and use the server version of the logged on username. See, as an example, this StackOverflow post.
Either way, users with existing Windows logons are able to authenticate to the website without typing credentials. Users who don't have existing Windows logons get prompted for creds.

Authenticating via LDAP for the current windows user's credentials?

We have an app that is hosted on our intranet in a Windows desktop using WAMP (W for Windows, P for PHP). We need to implement a new functionality - validate user's by using his / her windows logged in credentials whenever user visits our intranet site.
Here I lack some basic concepts of implementing it - how can I access current windows logged in user details in PHP.
Is there any way to detect out who the current user is and pass this users data for validation to our LDAP server for verification?
Take a look here : http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
Is 1 half of authentication.
Just a note apache needs to have KeepAlive On setting set.
It will give you current user's login/domain/workstation information.
If you need full NTLM authentication scheme support, your web server needs module for it.
Look here : http://modntlm.sourceforge.net/
and here : http://bloke.org/linux/ntlm-authentication-active-directory-on-apache-linux/
Inboth cases, URL needs to be in "Trusted zone" for IE and similar setup for firefox.
I would suggest you use mod_auth_sspi - Apache 2.x authentication module. It is very easy to setup.
Here is the homepage http://sourceforge.net/projects/mod-auth-sspi/
You can protect locations, folders, or specific files. You can allow/deny specific users, groups, domains etc.
I implemented this on a windows 2008 server running apache 2.2 and PHP 5.2 and it worked flawlessly for my SSO.

Sharepoint - where to get started with integrating to another site

We have a sharepoint instance on our network that we get automatically logged into by logging into Windows. (they do not get prompted to log in)
We have another web application that requires users to log in but it currently has it's own username/password setup.
Our goal is to get the other application (which we have built) to act the same way sharepoint does - if you are logged into windows it will log you right into the application.
Where do I start? (I assume this will require LDAP)
Any guidance would be greatly appreciated.
Our setup (windows):
Windows
IE7 & 8
Windows Active Directory managing users/password
Our setup (the other application):
RHEL (could be Windows Server if really necessary)
PHP 5
Apache
mySQL - username and password are stored in mySQL
Update:
Maybe a drawing would help: Look at this
You are looking to implement NTLM Authentication in the PHP application, see my prior answer on this:
Can a PHP intranet share Windows logins?
If your other web application uses Windows Integrated Authentication (NTLM or Kerberos authentication or even basic authentication) then it can act the same way. Depending on the browser, it can automatically remember and log into sites using one of these methods. Each browser may do it differently, though. IE has settings for automatically logging in based on the zone (Internet, Local intranet, trusted sites).
You would not necessarily need to have the have your other application use the same user store (AD/LDAP), but it would likely make sense.

Categories