I am trying to use a basic PHP page to create a new user in a Windows 2008R2 domain. However when ever I try to specify a password I receive a error stating that the server was unwilling to perform my request.
I was wondering if there is any other way to create a new domain user with PHP that will allow me to set the password of the user.
Thank you for your time!
It's completely possible. You need to connect to the Active Directory domain using LDAP(s), and authenticate with it using a user account that has enough privileges to create/modify user accounts within that domain. There are third party libraries/projects that exist that could take care of some of the leg work for you, but without that credentialed account, you'll never be able to accomplish this.
Related
I'm trying to create an intranet site where, if possible, all parts of it should be SSO in a way that a user who is logged into his Active Directory account in Windows would immediately be signed on with that same account in all pages of my site through LDAP.
Now the main component of this site is built with a CMS and from there the user should be able to click the links on this site to get to the other tools we're using, like for example the ticket system.
The CMS and the ticket-system software both are able to connect through LDAP themselves but I want a SSO solution for this.
So I searched and found this for the apache server: mod_authnz_sspi
This apparently lets you use $_SERVER['REMOTE_USER'] in PHP to get the windows user signed on right now.
Now I'm stuck since I'm not really sure how to use this to automatically log the user into the sites.
What do I have to do with this to get the SSO solution that I want?
I thought about creating a simple HTML form with the same fields like the one from the ticket-system form I'm trying to log into. I would then try to send the POST-data to the form of the ticket-system and log the user in automatically. For the username I would send $_SERVER['PHP_AUTH_USER'] and for the password $_SERVER['PHP_AUTH_PW']. However, the ticket system is protected with a CSRF-Token which I would have to include into the sent POST-data but can't know in advance since it is generated in the moment of accessing the page.
So it would be really helpful if someone could tell me how to get a SSO working with the mod_authnz_sspi tool (or another).
If there isn't any other way than through using a HTML-form that sends the POST data like I tried, then it would be helpful if someone knew a workaround to the CSRF-Token problem!
You can create an AUTH application that administrate your users (details, permissions, etc.). When an user access other application if it are not logged in redirect it to the AUTH application. AUTH application check user credentials, generate an access_token and redirect user back to the application that try to access. More info you find here https://www.mutuallyhuman.com/blog/choosing-an-sso-strategy-saml-vs-oauth2/
I am hosting my site on xampp and want to auto login my website using LDAP. So as of now I use PHP to grab the windows current username and try to validate it with AD via ldap and it works.
But since PHP is server sided it only grabs current user of the system in which xampp is running how can I achieve it for every system connected via LAN. If I run it on any other system of intranet it shows the system's name which has xampp running on it.
Is there any way to grab windows current user details on the client side or is there any better and easy way for auto login.
Using the workstation-provided logon name is quite insecure -- there are ways to essentially spoof the logon information. When you trust the workstation's USERNAME value, you don't have any way to differentiate between "lisa logged into her domain named example.com" and "lisa logged into the official company domain named example.com". Possibly even "lisa logged into her computer in the workgroup she happened to name example.com".
Assuming you want users to be able to authenticate without having to enter their credentials, the secure path would be either to use federated authentication or the Kerberos token. If you have ADFS set up, federation auth can be acheived in PHP with Microsoft Graph. If the web server can communicate with the domain controllers, the web server can use Kerberos tokens and use the server version of the logged on username. See, as an example, this StackOverflow post.
Either way, users with existing Windows logons are able to authenticate to the website without typing credentials. Users who don't have existing Windows logons get prompted for creds.
I'm currently making an app with React Native and I need to perform some HTTP requests on PHP files, that are hosted on a CPanel file manager.
So I need to put the link in my request, but the problem is that it includes a security token when I sign-in on the website to see these files.
As it is changing every time, I guess that I need to get this token in my app and use it to perform the requests.
I browsed the documentation of CPanel to find a way but I can't figure it out.
Thanks in advance for your help
The easiest method without domain-pointing is access by hosting IP and your username account on that hosting. Example:
http://XXX.XXX.XXX.XXX/~username/yourapifile.php
where XXX.XXX.XXX.XXX is your hosting IP and username is your username account (with ~ prefix).
On my local server I have written a script that takes a username & password and confirms it is valid against my LDAP server.
I have a web site professionally hosted on a remote server. I have a CMS on the remote server and I would like users to use their LDAP credentials to gain access to that CMS.
My plan is to have a login form on the remote server. The form will POST the username/password to itself using https. It will then use CURL to POST the username/password again but this time across the internet to my local server, again using https. My local server will be setup to provide a simple "TRUE" or "FALSE" as a response. If the remote server gets back TRUE, session variables are set to permit access.
Security-wise, is this a safe practise. Should I consider another way?
note: I'm not particularly proficient with cURL but I think I can figure out how to do the above.
LDAP - Lightweight active directory protocol which is used to communicate with your active directory server.
LDAP is there only to authenticate & access AD server in most secure way.
Here is the solution for problem :
Customize existing login functionality of your CMS in a way like - If user his details check with AD server using LDAP whether user is exist in AD, if yes update his credential to your DB(Also keep flag that user is AD enabled), if user is present is AD & not there in your DB create that one.
Likewise after some time al your user from AD server will migrate to your DB & you are not required to keep seperate application to for user migration.
Also every time authenticating with AD is best to provide security but its all up to you, because after migration of all user you can remove this functionaity.
I'm developing an online application that will have many outside users. As for now my connection method is to host a centralized database for all users, while they connect from their own server files.
Method:
PHP Connection File (hosted on their server; file provided by me) >> Connects to my MySQL Database
Now obviously I need to provide my database user and pw info, but I know that questions security.
So to my point, how would I provide database access to outside users(different servers) without giving up security.
Or if someone has a better method I'd love to hear it. Thanks!
Create an API in php, sort of webservice with an interface that you define and host this API on your server.
Each user (script that runs on users server and uses your API) needs a personal API key or access code they need to register to the webservice.
Take a look at well known API's like Google maps or something similar. Oh even stackoverflow has one
Create a signup form for users and store their own UserID and Password in a table on your site. Then create a PHP interface for them to upload their files. That way, you need only validate thier own UserID and Password through a HTML/PHP form to allow them to sign in, and your MySQL creds stay safely hidden.