Related
I have a PHP web application on an intranet that can extract the IP and host name of the current user on that page, but I was wondering if there is a way to get/extract their Active Directory/Windows username as well. Is this possible?
Check the AUTH_USER request variable. This will be empty if your web app allows anonymous access, but if your server's using basic or Windows integrated authentication, it will contain the username of the authenticated user.
In an Active Directory domain, if your clients are running Internet Explorer and your web server/filesystem permissions are configured properly, IE will silently submit their domain credentials to your server and AUTH_USER will be MYDOMAIN\user.name without the users having to explicitly log in to your web app.
I've got php mysql running on IIS - I can use $_SERVER["AUTH_USER"] if I turn on Windows Authentication in IIS -> Authentication and turn off Anonymous authentication (important)
I've used this to get my user and domain:
$user = $_SERVER['AUTH_USER'];
$user will return a value like: DOMAIN\username on our network, and then it's just a case of removing the DOMAIN\ from the string.
This has worked in IE, FF, Chrome, Safari (tested) so far.
Look at the PHP LDAP library functions: http://us.php.net/ldap.
Active Directory [mostly] conforms to the LDAP standard.
We have multiple domains in our environment so I use preg_replace with regex to get just the username without DOMAIN\ .
preg_replace("/^.+\\\\/", "", $_SERVER["AUTH_USER"]);
If you're using Apache on Windows, you can install the mod_auth_sspi from
https://sourceforge.net/projects/mod-auth-sspi/
Instructions are in the INSTALL file, and there is a whoami.php example. (It's just a case of copying the mod_auth_sspi.so file into a folder and adding a line into httpd.conf.)
Once it's installed and the necessary settings are made in httpd.conf to protect the directories you wish, PHP will populate the $_SERVER['REMOTE_USER'] with the user and domain ('USER\DOMAIN') of the authenticated user in IE -- or prompt and authenticate in Firefox before passing it in.
Info is session-based, so single(ish) signon is possible even in Firefox...
-Craig
You could probably authenticate the user in Apache with mod_auth_kerb by requiring authenticated access to some files … I think that way, the username should also be available in PHP environment variables somewhere … probably best to check with <?php phpinfo(); ?> once you get it runnning.
If you are looking for retrieving remote user IDSID/Username, use:
echo gethostbyaddr($_SERVER['REMOTE_ADDR']);
You will get something like
iamuser1-mys.corp.company.com
Filter the rest of the domain behind, and you are able to get the idsid only.
For more information visit http://lostwithin.net/how-to-get-users-ip-and-computer-name-using-php/
Use this code:
shell_exec("wmic computersystem get username")
Check out patched NTLM authentication module for Apache
https://github.com/rsim/mod_ntlm
Based on NTLM auth module for Apache/Unix
http://modntlm.sourceforge.net/
Read more at http://blog.rayapps.com/
Source: http://imthi.com/blog/programming/leopard-apache2-ntlm-php-integrated-windows-authentication.php
You can say getenv('USERNAME')
No. But what you can do is have your Active Directory admin enable LDAP so that users can maintain one set of credentials
http://us2.php.net/ldap
get_user_name works the same way as getenv('USERNAME');
I had encoding(with cyrillic) problems using getenv('USERNAME')
Referencing trying to also figure out if AUTH_USER is part of a particular domain group; a clever way to do this is t create a locked down folder with text files (can be blank). Set security to only having the security/distro group you want to validate. Once you run a #file_get_contents (<---will toss a warning)...if the user does not have group access they will not be able to get the file contents and hence, will not have that particular AD group access. This is simple and works wonderfully.
This is a simple NTLM AD integration example, allows single sign on with Internet Explorer, requires login/configuration in other browsers.
PHP Example
<?php
$user = $_SERVER['REMOTE_USER'];
$domain = getenv('USERDOMAIN');
?>
In your apache httpd.conf file
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
<Directory "/path/to/folder">
AllowOverride All
Options ExecCGI
AuthName "SSPI Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
Require valid-user
Require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Directory>
And if you need the module, this link is useful:
https://www.apachehaus.net/modules/mod_authnz_sspi/
try this code :
$user= shell_exec("echo %username%");
echo "user : $user";
you get your windows(AD) username in php
I tried almost all of these suggestions, but they were all returning empty values. If anyone else has this issue, I found this handy function on php.net (http://php.net/manual/en/function.get-current-user.php):
get_current_user();
$username = get_current_user();
echo $username;
This was the only way I was finally able to get the user's active directory username. If none of the above answers has worked, give this a try.
How do i check if php server allows connecting via curl to external sites before buying hosting package (or registering on free host)? I noticed that in some hosting reviews users were complaining that servers that have curl enabled often don't allow external connections...
I'd like to check this before purchasing/registering. Maybe there's some string in phpinfo which i can check (hosts sometimes link to their phpinfo so i don't need to be registered and create it myself) or something else i can do to check this without having account?
If I have to register first... maybe there are some phpinfo-like scripts with more extensive informations that i could upload and run to quickly test host?
Create a file like this:
<?php
phpinfo();
?>
or
<?php
echo "<pre>";
var_dump(curl_version());
?>
That will tell you instantly.
Also, most free hosts do not offer Curl by default, due to abuse by spammers.
You'll definitely need to buy an account before testing the server's capacities.
But some hosts allow you to test their site with a monthly contract or a XX days money back guarantee. From the top of my head, Host gator is such host.
Then when you have that account, try a small script like this (check the path to curl with your host helpdesk or documentation):
<?php
$var = echo shell_exec("/usr/bin/curl -L http://www.google.com");
?>
within PHP (XAMPP) installed on a Windows XP Computer Im trying to read a dir which exists on a local network server. Im using is_dir() to check whether it is a dir that I can read.
In Windows Explorer I type \\\server\dir and that dir is being shown.
When I map a network drive a can access it with z:\dir as well.
In PHP I have that script:
<?php if( is_dir($dir){ echo 'success' } ) ?>
For $dir I tried:
/server/dir
//server/dir
\server\dir
\\server\dir
\\\\server\\dir
and
z:\dir
z:\\dir
z:/dir
z://dir
But I never get success?
Any idea?
thx
I solved it by changing some stuff in the registry of the server as explained in the last answer of this discussion:
http://bugs.php.net/bug.php?id=25805
Thanks to VolkerK and Gumbo anyway!
I love stackoverflow and their great people who help you so incredibly fast!!
EDIT (taken from php.net):
The service has limited access to network resources, such as shares
and pipes, because it has no credentials and must connect using a null
session. The following registry key contains the NullSessionPipes and
NullSessionShares values, which are used to specify the pipes and
shares to which null sessions may connect:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Alternatively, you could add the REG_DWORD value
RestrictNullSessAccess to the key and set it to 0 to allow all null
sessions to access all pipes and shares created on that machine.`
add RestrictNullSessAccess=0 to your registery.
You probably let xampp install apache as service and run the php scripts trough this apache. And the apache service (running as localsystem) is not allowed to access the network the way your user account is.
A service that runs in the context of the LocalSystem account inherits the security context of the SCM. The user SID is created from the SECURITY_LOCAL_SYSTEM_RID value. The account is not associated with any logged-on user account.
This has several implications:
...
* The service presents the computer's credentials to remote servers.
...
You can test this by starting the apache as console application (apache_start.bat in the xampp directory should do that) and run the script again. You can use both forward and backward slashes in the unc path. I'd suggest using //server/share since php doesn't care about / in string literals.
<?php
$uncpath = '//server/dir';
$dh = opendir($uncpath);
echo "<pre>\n";
var_dump($dh, error_get_last());
echo "\n</pre>";
Try the file: URI scheme:
file://server/dir
file:///Z:/dir
The begin is always file://. The next path segment is the server. If it’s on your local machine, leave it blank (see second example). See also File URIs in Windows.
Yes, I know this is an old post, but I still found it, and if anyone else does...
On Windows, with newer servers, verify the SMB is installed and enabled on the target machine.
So maybe the documentation is out of date, or I am just off here. But I have done a slew of FB iframe apps (connect), but I am starting my first FB Connect site. Running it from localhost, and the Connect URL is http:// my_external_IP_address. When I click on the FB login button on my site, it pops up, says waiting for facebook, and it returns my site in that box, with the URL up top with the http:// mysite/?session={session key, user_id, etc.} The user_id is infact my FB id. And so it thinks I am logged in. If I close the popup, I'm not logged in. I'm not sure why the pop up isn't doing the normal fb connect dialog. I'm following these steps.
(I added spaces to the http:// as to not be detected as 'spam')
html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml"
right after <body> <script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php" type="text/javascript">
At the end, before the body close tag: script type="text/javascript">
FB.init("fbkey", "http://127.0.0.1/xd_receiver.htm");
I have tried using xd_receiver.htm, /xd_receiver.htm (and other combos), and that brings up a blank page. using the http://127.0.0.1 at least does something.
In my config file, which is called before all of those, it checks for a PHP session key
to see if they are logged in, if that doesn't exist it looks for a cookie, and if that doesn't exist it does this:
require_once('includes/facebook.php');
$facebook = new Facebook($fbkey, $fbsec);
$user_id = $facebook->get_loggedin_user();
if($user_id > 0){
$user = $ac->getUserFromFB($user_id);
$_SESSION['user_id'] = $user['user_id'];
}
The user_id is always empty when I echo it out to the screen to test. The session event never occurs as well. So I don't know what it is doing in the popup, but I think Facebook thinks it is logging me in. Not sure. Pretty stumped on this one. Any help would be appreciated. Thanks!
I've personally found the easiest way to deal with facebook connect is to use winscp to sync my localhost to a server with a domain somewhere. Since fb connect is attached to an application, that application needs to be bound to a domain, which is where the api key gets generated. Somewhere in there, your localhost isnt working, unsurprisingly.
I don't know for sure but I suspect the problem is due to you running on your local machine.
My guess is that the Facebook server won't be able to find your machine on 127.0.0.1 as that is a local ip address. You could try using somewhere like whatisyourip.com to get your actual remote ip and use that instead but even then you would need to make sure that you have the necessary port forwarding set up for the FB server to be able to get to your local machine.
All in all, for this kind of site I think it would be easier to develop on an external server rather than a local environment.
Incidentally, I don't have to enter the second parameter for FB.init() - I just use
FB.init(fbkey);
If you haven't already, you could try taking that out completely to see if it helps.
Also I think that the script tag to include the facebook FeatureLoader.js should be before your </head> tag not after the <body> tag
Try editing your hosts file to point a hostname (doesn't matter what it is, as long as you set it as the hostname associated with your app in the settings) to 127.0.0.1, and then restarting your browser and visiting your local app via the domain you set in the hosts file. This should allow you to test most FB-related features. The main exception will be the Like button, because it depends on Facebook's servers also being able to access your app at the domain in question.
Example hosts line:
127.0.0.1 www.example.com
If you add the above you your /etc/hosts and restart your browser, you can replace the "127.0.0.1" component of the URL you're testing with www.example.com and it will be as if the domain associated with your app were indeed www.example.com
I have a PHP web application on an intranet that can extract the IP and host name of the current user on that page, but I was wondering if there is a way to get/extract their Active Directory/Windows username as well. Is this possible?
Check the AUTH_USER request variable. This will be empty if your web app allows anonymous access, but if your server's using basic or Windows integrated authentication, it will contain the username of the authenticated user.
In an Active Directory domain, if your clients are running Internet Explorer and your web server/filesystem permissions are configured properly, IE will silently submit their domain credentials to your server and AUTH_USER will be MYDOMAIN\user.name without the users having to explicitly log in to your web app.
I've got php mysql running on IIS - I can use $_SERVER["AUTH_USER"] if I turn on Windows Authentication in IIS -> Authentication and turn off Anonymous authentication (important)
I've used this to get my user and domain:
$user = $_SERVER['AUTH_USER'];
$user will return a value like: DOMAIN\username on our network, and then it's just a case of removing the DOMAIN\ from the string.
This has worked in IE, FF, Chrome, Safari (tested) so far.
Look at the PHP LDAP library functions: http://us.php.net/ldap.
Active Directory [mostly] conforms to the LDAP standard.
We have multiple domains in our environment so I use preg_replace with regex to get just the username without DOMAIN\ .
preg_replace("/^.+\\\\/", "", $_SERVER["AUTH_USER"]);
If you're using Apache on Windows, you can install the mod_auth_sspi from
https://sourceforge.net/projects/mod-auth-sspi/
Instructions are in the INSTALL file, and there is a whoami.php example. (It's just a case of copying the mod_auth_sspi.so file into a folder and adding a line into httpd.conf.)
Once it's installed and the necessary settings are made in httpd.conf to protect the directories you wish, PHP will populate the $_SERVER['REMOTE_USER'] with the user and domain ('USER\DOMAIN') of the authenticated user in IE -- or prompt and authenticate in Firefox before passing it in.
Info is session-based, so single(ish) signon is possible even in Firefox...
-Craig
You could probably authenticate the user in Apache with mod_auth_kerb by requiring authenticated access to some files … I think that way, the username should also be available in PHP environment variables somewhere … probably best to check with <?php phpinfo(); ?> once you get it runnning.
If you are looking for retrieving remote user IDSID/Username, use:
echo gethostbyaddr($_SERVER['REMOTE_ADDR']);
You will get something like
iamuser1-mys.corp.company.com
Filter the rest of the domain behind, and you are able to get the idsid only.
For more information visit http://lostwithin.net/how-to-get-users-ip-and-computer-name-using-php/
Use this code:
shell_exec("wmic computersystem get username")
Check out patched NTLM authentication module for Apache
https://github.com/rsim/mod_ntlm
Based on NTLM auth module for Apache/Unix
http://modntlm.sourceforge.net/
Read more at http://blog.rayapps.com/
Source: http://imthi.com/blog/programming/leopard-apache2-ntlm-php-integrated-windows-authentication.php
You can say getenv('USERNAME')
No. But what you can do is have your Active Directory admin enable LDAP so that users can maintain one set of credentials
http://us2.php.net/ldap
get_user_name works the same way as getenv('USERNAME');
I had encoding(with cyrillic) problems using getenv('USERNAME')
Referencing trying to also figure out if AUTH_USER is part of a particular domain group; a clever way to do this is t create a locked down folder with text files (can be blank). Set security to only having the security/distro group you want to validate. Once you run a #file_get_contents (<---will toss a warning)...if the user does not have group access they will not be able to get the file contents and hence, will not have that particular AD group access. This is simple and works wonderfully.
This is a simple NTLM AD integration example, allows single sign on with Internet Explorer, requires login/configuration in other browsers.
PHP Example
<?php
$user = $_SERVER['REMOTE_USER'];
$domain = getenv('USERDOMAIN');
?>
In your apache httpd.conf file
LoadModule authnz_sspi_module modules/mod_authnz_sspi.so
<Directory "/path/to/folder">
AllowOverride All
Options ExecCGI
AuthName "SSPI Authentication"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOmitDomain On
Require valid-user
Require user "NT AUTHORITY\ANONYMOUS LOGON" denied
</Directory>
And if you need the module, this link is useful:
https://www.apachehaus.net/modules/mod_authnz_sspi/
try this code :
$user= shell_exec("echo %username%");
echo "user : $user";
you get your windows(AD) username in php
I tried almost all of these suggestions, but they were all returning empty values. If anyone else has this issue, I found this handy function on php.net (http://php.net/manual/en/function.get-current-user.php):
get_current_user();
$username = get_current_user();
echo $username;
This was the only way I was finally able to get the user's active directory username. If none of the above answers has worked, give this a try.