Is it possible to know the login history of a user through LDAP? I'm trying to find a way bit so far I can only get the lastLogon and lastLogout.
Regards,
Elkas
It depends on LDAP backend.
You put windows-server-2008 tag, so I expect you mean MS Active Directory or AD-LDS instance (aka ADAM).
If so, you can query security event log on LDAP server (DC), if security auditing is on (as of default is on).
You will need pretty high privilege to do this,so first ask domain admins to grant this permission.
You can forgot for PHP or maybe you find some pecl package to read windows event log records.
If you will able to read security event log, you need to filter out lot of data like logon type (you will be interested in network-logon).
However, depends on load of domain controller and number of active user accounts in AD, it will take lot of time to do this.
Related
My server wont allow users to write files in php, for as far as I looked this has to do with user permissions. But solving this causes a major security flaw. More information about these solutions can be found here php won't create file and here How do I give PHP write access to a directory?
So my question is instead of changing the servers permissions, is it possible to change the user's permission or permission group only after he logs into the application? In php terms after running the login() function.
I want this because I am developing an application that is an extension on the admin panel of askozia(a call center). Where each user can change and see its own data, without being able to change and see the admin settings and the data of other users. However all this data is not saved in a database but in an XML-file, so users need to be able to write to this XML-file.
You should not change the User (Which would be a bigger security hole). You want some rights for your current user.
For Windows:
http://technet.microsoft.com/en-us/library/bb727008.aspx
For Linux
http://www.computerhope.com/unix/uchmod.htm
Don't forget: The useraccount for your webserver is not the user in front of the website. You have to care about the "website viewers" permission. But your webserver account, should have all rights he need. If you would change the user, it would be the same.
The permissions that are given on the filesystem are from the user that is running the PHP instance. You cannot change the permission on runtime, but you can start a different application under a different user using sudo on *nix (and runas under Windows) to create, modify and read files.
You can check the 'web user' when it's trying to change a file to prevent malicious modifications when you want to use the standard PHP file operations (but this still requires the PHP instance to have write permissions on the file).
I used to work for a bank, that had a very cool feature in it's intranet. Once you logged in your computer, there were global variables set in PHP through Apache, and they contained the identity of the user that was logged on on the computer. Now I'm at a new job, and I'm wondering, how this thing worked! I would like to implement this kind of thing once again.
What I'm working with here:
FreeBSD server, version is unknown to me.
Apache 2.2 web server
PHP 5, some custom compilation, that for various reasons, I can't upgrade or modify.
MS AD
All of the users logging on to their computers are using active directory, all are in the same domain.
What I used to have was something like this:
echo $_SERVER['username']
which would print the username of the user currently logged in.
Could someone explain, how this could be done?
P.S. If any of my server settings are not what is required, say so, because then I will have a reason to ask the bosses to give me one of my own, with more control.
There's lots of ways this might be implemented. However a lot of them depend on having control over the client as well as the server.
Obvious sources of data include:
NTLM
Client side certificates
The Ident protocol (not very secure without the encryption extensions)
A long lasting cookie (again, not secure)
HTTP authentication methods
However none of these explain how the value appeared in the session - this must have been implemented within the PHP code.
So without knowing how it was implemented at your previous site we can't tell you:
Whether it was secure and correctly implemented
how to replicate the behaviour
Given your resource list, while it would be possible to implement authentication based on direct LDAP calls, passing the username and password through your application, I would strongly recommend using (e.g.) openId - but restricting the providers to just your openid provider - which would use the MSAD as the backend.
I did not understand correctly the question, so I edit my post...
you could use apache auth, you can make auth by ip's or hostnames
http://httpd.apache.org/docs/2.0/en/howto/auth.html
I am currently working on 2 web servers, One Coldfusion and the other PHP.
Right now, the Coldfusion server is my main server where users log in to access restricted data.
However, I have also begun using a PHP server and want to make it transparent for users to access a specific page on that server - that server requires log in information as well.
I do not want the users to log in twice.
Is there a way to accomplish this ?
Thx
UPDATE: Working in an Intranet environment, so I can't use any public solution.
UPDATE: Reason I am asking for this is because we are moving from a MSQL / Coldfusion environment (Initial server) to a PHP / ORACLE (new server). So I have 2 user tables as well (although they contain mostly the same information).
I am trying to faze out the use of our initial server in favor of our new server transparently to the user and thus I have to work in parallel for the time being.
Most single-sign-on solutions work a bit like this...
Main system authenticates use
User opts initiates a need to move to system 2
Main system authenticates the user with system 2 in the background
System 2 supplies a random, long and disposable token to Main system
Main system redirects the user, with the token, to system 2
System 2 checks the token (and other factors such as IP address) to validate the session
System 2 disposes of the token to ensure it can't be replayed
You would want to ensure that the transmission channels had some security on, especially where Main system and system 2 are talking to each other. You would want that to be a secure transport.
Store sessions in a database, and share them between the two apps.
You could use xml-rpc to get user data and log the user into the other site when they have a login cookie for the first one and vice versa.
Php manual page for XML-rpc
Here is what I have done, in running my own game server, had users on sql server, and on mysql, and wanted to integrate them both.
I made sure that if a user was created on 1 system, was also created on the other.
So you can modify code in both applications, to automatically create a user in other system if it is created on here.
Depending if both servers share a domain, can you do cross-domain sessions or cookies...But my best guess is to store and retreive data...
Or..
as a person logins/registers record their current ip address, on both servers, then check if this person was on the other server within 2-5 minutes, if so, use the ip address to identify them....
This system is tricky because timing is important, so your not leaving a huge hole in your security....But for short term, going between servers, this is simplest solution, in my own opinion.
Good Luck.
If you are on an intranet, you can actually sniff out the network username of the user from the PC they are logged into the network on using PHP. This assumes that:
You are using IIS to host your PHP application.
Your users are using Windows.
Check the section "2.2 Enabling Support for Detecting Usernames" here.
After that, all you need to do is investigate if the same is possible from Coldfusion, and you have the basis of an SSO solution based on the network usernames.
How about implementing an OpenID solution, much like the one apparent on StackOverflow?
You may benefit from dropping a shared object on the client machine via Flash or Flex. This object could then be read from ColdFusion/PHP/Python on servers that otherwise had no connection to each other or access to a common database.
Here is a simple example from the Adobe Docs
Maintain local persistence. This is
the simplest way to use a shared
object, and does not require Flash
Media Server. For example, you can
call SharedObject.getLocal() to create
a shared object in an application,
such as a calculator with memory. When
the user closes the calculator, Flash
Player saves the last value in a
shared object on the user's computer.
The next time the calculator is run,
it contains the values it had
previously. Alternatively, if you set
the shared object's properties to null
before the calculator application is
closed, the next time the application
runs, it opens without any values.
Another example of maintaining local
persistence is tracking user
preferences or other data for a
complex website, such as a record of
which articles a user read on a news
site. Tracking this information allows
you to display articles that have
already been read differently from
new, unread articles. Storing this
information on the user's computer
reduces server load.
Full Information: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html
I'm in the final stages of implementing a CodeIgniter site which requires a really simple login system. One user, and one password to protect the admin area. I think I will be using one of the many CodeIgniter authentication libraries, which should allow me to ensure that people can't read from the database without being logged in as admin (hopefully).
Are there any glaring holes in a setup like this?
Should I take further measures beyond using a library like this to
ensure the security of the data in the MySQL database?
It will be hosted on a shared server; meaning little, or no server config will be possible.
There is a long discussion about the authentication systems available here: How should I choose an authentication library for CodeIgniter?
The latest version of Redux seems to be the favorite.
http://code.google.com/p/reduxauth/
I have used in the past (with excellent results) DX Auth 1.0.6.
You can find it at http://codeigniter.com/forums/viewthread/98465/
I would create simple form-based authentication and use a strong password.
HTTP authentication has too many problems IMHO:
Easier to brute force hack.
Anyone who sniffs the request can determine the username and password being used, but they don't even need to; they can just use an identical HTTP themselves.
Once that dialog pops up, it's difficult to dismiss, which can be irritating.
Many browsers will ask twice for a password before letting you in.
It's difficult to log out or change users, you usually have to quit the browser.
Easy to forget that you've let the browser save your credentials, which is another potential security risk.
If it is on an apache server, then I would consider just setting up an htpasswd protected directory. Read more about it here.
Is it possible to use the users windows authentication (setting in iis) for database connections in PHP?
This is possible in the .NET world through a technique called "impersonation". Does this also exist in the PHP/IIS world?
EDIT: The Database I am using is MS SQL Server 2005.
If you can authenticate the PHP application with Keberos, you can use kerberos Delegation to pass the credentials to the secondary server.
Ken Schaefer has a whole series of blogs on Kerberos, including this article on delegation.
Impersonation through Kerberos is the most secure answer, as well as the simplest to administrate. Having separate 'synthetic' users when accessing resources like databases means you basically bypass all possibilities for database authorization, get duplicate points of access administration, and that you get zero traceability at the database level (you just see that MySyntheticUser tried to access something, not who was behind it).
Having said this, I should warn you that Microsoft's Kerberos isn't always as straightforward as you would expect. We've had significant trouble getting it to work between pure .NET solutions, IIS, SQL Server 2005, AD domains and Internet Explorer. Most of it was down to getting trust configured exactly right. Also, while I'm not a PHP developer myself, I find some indications that you may have trouble accessing Kerberos library functionality. Find out what support you can get for SSPI. Also, your PHP process must have the necessary permissions to impersonate users, which I believe can be administered through IIS.
I would not necessarily expect all of this to be straightforward or easy, particularly as Microsoft has few incitaments to support non-Microsoft languages and platforms.
Must each user be verified separately? If not, you can set IIS to impersonate one person.
I know that you can supply the login name and password that you want associated with your ODBC connection if you create it through System DSN. I assume that the login un/pw can be windows user accounts.
Doing it that way seems to limit you to a predetermined account.
It might be possible to create a group, add the desired users, password protect the directory and only allow the group access to the directory.
You didn't say which database you're using though. If you are using MS Access, I know you can hide your database passwords. See my comment on another post.
Which way are you running IIS on PHP? As a standalone CGI or ISAPI?
My preferred solution would be to have a separate user on SQL Server for the access, instead of trying to force the IIS to run as an impersonated a user which is fine for development machines but not so good later on for production or even staging.
But if you're using FastCGI, it is possible to impersonate a user that the process is run by with the configuration file from what I remember, which passes the user logged in's credentials.