Is it possible to use a Windows session to authenticate a user so that my Apache httpd/PHP web application won't require additional authentication? I would want to know from the Windows session who the user is so I can restrict functions on a per user basis, but I don't want the user to have to log in again.
I see some articles about using LDAP from Apache, but it's not clear to me if that just lets me verify the login information after requesting credentials or if it allows me to make the login seamless/invisible...
What you looking for is basically impossible (or almost impossible). You want your Apache to be able to access Windows session. Apache speaks through HTTP protocol only. Browser in your Windows is the one who speaks HTTP. There nothing in HTTP what can instruct your browser to ask Windows session user name. The only way around it to have JS embedded in your page. But again your browser will prohibit your page from getting this information. Why? Because it is ENORMOUS SECURITY THREAT!
There nothing in HTTP request from a browser what can tie it up with particular Windows session and hence it cannot be done.
Related
So I have a Zend Server and I'm looking for a way to enable automatic authentification with Windows credentials.
I want to basically have the same result as if you would enable Windows authentification / NTLM on an IIS-Server or if you would install the Apache module "mod_authnz_sspi" on an Apache-Server. After enabling/installing this, both of these methods pass the credentials of the Windows user who is currently logged in to PHP variables.
These variables being: $_SERVER["REMOTE_USER"] or $_SERVER["PHP_AUTH_USER"] which will contain the username. Using getenv("USERDOMAIN") it is also possible to retrieve the domain name.
With these variables set, I was able to achieve a Single-Sign-On solution for applications on my site.
One of these applications is "osTicket". I used the following plugins: https://github.com/osTicket/osTicket-plugins/tree/develop/auth-ldap and https://github.com/osTicket/osTicket-plugins/tree/develop/auth-passthru .
So AuthPassthru will pass the above mentioned PHP variables to the LDAP-Plugin. The LDAP-Plugin will then connect to my Active-Directory server with a service user and look up if the Windows user from the passed PHP-variables is part of the domain. If yes, then the user will automatically be logged in.
The other one is the CMS Joomla. Here I was able to basically do the same thing with the plugins pkg_shplatform, pkg_ldap_sso_core and plg_sso_http. Again I would create a service user to connect to Active-Directory and lookup the user from the variables passed on by the "plg_sso_http"-plugin to then log them in automatically.
I did this on an Apache-server using mod_authnz_sspi.
But now I have to use a Zend-Server and to basically do the same thing there. The goal is to provide a Single-Sign-On solution where users will only log into their Windows account and are then automatically logged into every application on my site with the Active Directory server authenticating them.
If nobody knows a solution to do SSO this way on Zend-Server, if you have any idea on how to do it in a Kerberos way (or any other) that would help, too!
I run a computer lab for grade schoolers (3-14 y.o.) and would like to create a desktop/dashboard page consisting of a number of iframes, each pointing at a different external website
(for which we have created individual accounts for each child); and when a kid logs in (to the dashboard) a script will log her in to those websites, so she does not have to.
I have 1 server and 20 workstations, I'll refer to them as 'myserver' and 'mybrowser'(s) respectively. All these behind the same router (dynamic IP).
A kid gets on a 'mybrowser' workstation, fires up Firefox and runs desktop.php (hosted in 'myserver') and gets a login screen (for 'myserver')
'mybrowser' ---http---> 'myserver'
Once logged in, 'myserver' will retrieve a set of username and password stored in its database and run a CURL script to send those to an 'external web server'.
'mybrowser' ---http---> 'myserver' ---curl---> 'external web server'
SUCCESSFUL, well, I thought.
Turns out CURL, being run off 'myserver', logs in 'myserver' instead of 'mybrowser'.
The session inside the iframe, after refresh, is still NOT logged in. Now I know.
Then I thought of capturing the cookies from 'myserver' and set it into 'mybrowser' so that 'mybrowser' can now browse (within the iframe)
as a logged in user. After all, we (all the 'mybrowsers') are behind the same router as 'myserver', thus same IP address.
So in other words, I only need 'myserver' to log a user in to several external websites all at once ,and once done pass the control over back to individual users' browsers.
I hope the answer will not resort to using CURL to display and control the external websites for the whole session, aside from being a drag that will lead to some other sticky issues.
I am getting the nuance that this is not permitted due to security issues, but what if all the 'mybrowsers' and 'myserver' are behind the same router? Assuming there's a way to copy the login cookies from 'myserver' to 'mybrowsers', would 'external web server' know that a request came from different machines?
Can this be done?
Thanks.
The problem you are facing relates to the security principles of cookies. You cannot set cookies for other domains, which means that myserver cannot set a cookie for facebook.com, for example.
You could set your server to run an HTTP proxy and make it so that all queries run through your server and do some kind of URL translation (e.g. facebook.com => facebook.myserver) which then in return allows you to set cookies for the clients (since you're running on facebook.myserver) and then translates cookies you receive from the clients and feed them to the third party websites.
An example of a non-transparent proxy that you could begin with: http://www.phpmyproxy.com/
Transparent proxies (in which URLs remain "correct" / untranslated) might be worth considering too. Squid is a pretty popular one. Can't say how easy this would be, though.
After all that you'll still need to build a local script for myserver that takes care of the login process, but at least a proxy should make it all possible.
If you have any say in the login process itself, it might be easier to set up all the services to use OpenID or similar login services, StackOverflow and its sister sites being a prime example on how easy login on multiple sites can be achieved.
I have a PHP web application (running on Apache/Linux) that, among other things, allows some browsing of local files on the web server. Since Apache is running as a special "www" user, PHP has access to everything that "www" can access, whichever user is logged into the application.
What is the best way to limit the access to files according to the Unix filesystem privileges for the logged-in user? Ideally, I could spawn off a new process with user ID being the logged in user, but I'm not sure if that's possible. Alternatively, is there a standard PHP library somewhere that will do the permission checking and access the files?
I don't get what you mean because the user that access the files is the PHP users, not a generic user that request your page (you are not connecting to your server with SSH)
You may want to implement an ACL on top of your application to manage this rights.
And of course Zend has the solution: http://framework.zend.com/manual/en/zend.acl.html
You may take a look over http://httpd.apache.org/docs/2.0/suexec.html it should do what you need, without the need to keep a separate lsit of users and permissions in your aplications.
As far as i know, this extension is implemented on some(if not all) shared hosting services to control how resources are divided between users.
This will lead to scripts not getting executed by www-data(but by the system user), and PHP not running as a module(by CGI/fastCGI mechanisms).
This can be accomplished via a three-step process:
Create a rewrite rule (via .htaccess or the Apache config file) to redirect all requests for your "local files" to a PHP script.
Check the authentication status of the user in the script.
Use the script to load and output the file if the user is authenticated.
We have a sharepoint instance on our network that we get automatically logged into by logging into Windows. (they do not get prompted to log in)
We have another web application that requires users to log in but it currently has it's own username/password setup.
Our goal is to get the other application (which we have built) to act the same way sharepoint does - if you are logged into windows it will log you right into the application.
Where do I start? (I assume this will require LDAP)
Any guidance would be greatly appreciated.
Our setup (windows):
Windows
IE7 & 8
Windows Active Directory managing users/password
Our setup (the other application):
RHEL (could be Windows Server if really necessary)
PHP 5
Apache
mySQL - username and password are stored in mySQL
Update:
Maybe a drawing would help: Look at this
You are looking to implement NTLM Authentication in the PHP application, see my prior answer on this:
Can a PHP intranet share Windows logins?
If your other web application uses Windows Integrated Authentication (NTLM or Kerberos authentication or even basic authentication) then it can act the same way. Depending on the browser, it can automatically remember and log into sites using one of these methods. Each browser may do it differently, though. IE has settings for automatically logging in based on the zone (Internet, Local intranet, trusted sites).
You would not necessarily need to have the have your other application use the same user store (AD/LDAP), but it would likely make sense.
I have created some PHP-based intranet resources that require users to log in. The users create their own logins, and I verify that they are logged in using a cookie.
I've been asked if I can tie that login to their Windows login instead. My initial response was "a web page cannot access your Windows login - that would be a security risk." But one of our departments uses Sharepoint, and it does in fact tie itself to the Windows login.
How is that done? Can I do it in PHP? If so, why is it not a horrible security hole?
What you are looking for is NTLM authentication against the PHP website, which is perfectly doable but seems there is no single way in PHP to do it.
Have a look at http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
You also need to add the sites to your trusted sites in IE (or the equivalent in whichever browser you are using) and in the settings for trusted sites, turn on 'send current username and password'.
Its not a horrible security hole because the credentials are not sent en clair over the wire, and the end user has specifically told the browser to send credentials to the website in question.
PHP has LDAP support, so you can access Windows' Active Directory
There is this project on SourceForge:
adLDAP - "LDAP Authentication with PHP for Active Directory"
Often times this is done using a combination of LDAP and NTLM. Browsers like IE and Firefox can do NTLM authentication, which I believe is how Sharepoint works. I run a Java-based portal application that uses LDAP for syncing users and NTLM for authentication.
What you absolutely do not want to do is have the user enter their domain username and password into the browser. In years past I've seen several projects using this approach with LDAP to authenticate Windows users. You're correct, it is a security concern. The user should enter his or her password only once: when logging in to the workstation. The last thing you want are passwords sitting around in cache / temp files.
I apologize that I can not provide a "here's how you do it with a PHP app" answer. As far as I know, there is no one answer to this problem.
(One thing I have done in the past, and I never really checked to see if it was valid or poor form, was to use PHP from IIS. If you're using IIS, then PHP will populate the server variable REMOTE_USER with the Windows user's username (DOMAIN\user). It worked for what I was doing at the time.)