How can I connect a PHP web app to the Active Directory? Is LDAP the only way?
Some references I have so far https://stackoverflow.com/questions/1003751/how-do-i-use-microsoft-ad-and-php-single-sign-on-web-app
How can I connect a PHP web app to the Active Directory? Is LDAP the only way?
Some references I have so far https://stackoverflow.com/questions/1003751/how-do-i-use-microsoft-ad-and-php-single-sign-on-web-app
Well, Active Directory is LDAP+Kerberos+a few other miscellaneous bits and pieces. Officially you could authenticate via Kerberos, but that's not going to provide any of the other authorization data you may need.
As long as your firewall doesn't prohibit it and you have a user account with the correct permissions, you should be able to query Active Directory using standard LDAP PHP libraries, LDAP browsers, etc.
LDAP isn't required. You can use claims based authentication (the new trend) with SAML. A PHP library is here.
Have your network admin install ADFSv2 to make AD open up a SAML and endpoint WS-Trust in your app. ADFS is a free, and Windows 2008 R2 is the right OS to run the latest version.
TIP: Just be sure to install it so it uses SQL (not SQL Express) if you want advanced features like token replay detection.
im currently working on a hybrid application for my company that requires employee authentication via LDAP / ActiveDirectory
in PHP its not that hard to authorizes against LDAP.
Your PHP Configuration should have session and ldap enabled.
heres an example of a basic auth with PHP
Example of usage:
Update 1
A possible method is using JavaScript to accomplish this, you can detect the clients computer name, user name, domain by using the network object in WScript, you then detect the credentials and then send them to the server to check with AD, if there all good the server then will create a session for that user and reply with an JSON Object, with success set to true.
the javascript side will then see that its a success and then redirect the browser to another location causing them to be logged in.
POC:
You could try SAML as well. Try a search for "SAML active directory" as well as "SAML apache".
If your Linux system is running Winbind (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html), you could conceivably use standard PAM services for authentication. And, as has been pointed out, you can also authenticate using Kerberos (either treating it as a password database or by actuallly accepting Kerberos tokens via, e.g., Apache's mod_kerberos).
Using Kerberos gets you some security advantages if done correctly (because user passwords never traverse the network), but you would still need to interact with LDAP (or the local system running Winbind) to get group memberships, etc., for authorization.