RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access. [/snip] The question here is how does a Windows login create a valid session? We cannot really have the login script create a PHP session, can we?
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting Rory Browne <[EMAIL PROTECTED]>: I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access. I think you're talking about the user logging on once through a web page and carrying that authentication throughout. We're (or *I* am, at least) talking about the user logging on to the network (LDAP or, in my case, Active Directory) and using those credentials for the web applications. Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
I've got a bit lost on this, but assuming that we are talking about an intranet enviornment, with windows/IE6 clients, and apache servers, then personally: I would check logins based on a valid session. If the user doesn't have a session they aren't logged in. Store the username in the session variable. PHP session variables are AFAIK designed to be hard to detect and fake. Any code that is run under a http:// website ( as opposed to an ssl or https:// one ), reads the session(ie does not write to it). Any authentication should be done using a script accessed over https, protected by mod_auth_kerb. The http:// script would be accessed by the person when they first access the protected site. The protected site would detect that the user is not logged in, and redirect them to the authentication site(which is behind mod_auth_kerb, and https), which would create the session, and redirect the user back, to the page where they originally tried to access.
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting Jochem Maas <[EMAIL PROTECTED]>: Rick Emery wrote: Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be I wouldn't do it like that instead stick the username in the cookie in plaintext and as a oneway encoded hash (the hash creation could make use of a fixed, secret prefix string [amongst other things) to make it secure] - then to check the cookie you take the plain text name perform the same hash creation routine on it and compared the results of that with the encoded hash that was sent in the cookie - if they match the cookie could be considered valid and untampered. the basic jist being don't use two way encryption, use a oneway hash like sha1(). Okay. I don't know enough about encoding/encryption to discuss the merits either way, but I'll go along with your suggestion. So to carry through on my thought, the "secret prefix" would have to be constant. I'd like to find a way to make it variable (and random, even; I'm working under the assumption that at least one of our users would be smart enough to write a cookie to masquerade as another user). I have an idea, but I have little experience with Active Directory or LDAP, and I think I'm venturing into the space of "off-topic". I wonder if it would be possible (probably after modifying the schema) to write a value into the user's account in Active Directory/LDAP. The login script could generate a random string to prefix the username, hash it, write the random value into the user's LDAP record, and write the cookie. The PHP app on the other side could get the value from the user's LDAP record and then do the comparison. That way, each user would have a different "secret prefix", and it would be different each time that user logged in. Thoughts? well you can stick it in the session ... but like I said decoding is an unnecessary step it seems to me (given that you can achieve the validation using a oneway encryption method) Wouldn't the session expire on completion of the login script? If I opened a browser to run an application on our Intranet, wouldn't that create a different session? Again, I may be missing something. Thanks for the discussion; I'm really enjoying it. Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On MORE THOUGHTS
Rick Emery wrote: Quoting [EMAIL PROTECTED]: You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be I wouldn't do it like that instead stick the username in the cookie in plaintext and as a oneway encoded hash (the hash creation could make use of a fixed, secret prefix string [amongst other things) to make it secure] - then to check the cookie you take the plain text name perform the same hash creation routine on it and compared the results of that with the encoded hash that was sent in the cookie - if they match the cookie could be considered valid and untampered. the basic jist being don't use two way encryption, use a oneway hash like sha1(). safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about. well you can stick it in the session ... but like I said decoding is an unnecessary step it seems to me (given that you can achieve the validation using a oneway encryption method) I have not tested this though. It is on my task list for next week though. :) Let us know how it goes! Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about. I have not tested this though. It is on my task list for next week though. :) Let us know how it goes! Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache). So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes. What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure? Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her? [/snip] You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. I have not tested this though. It is on my task list for next week though. :) So, you could set a cookie with your manager's name, but it wouldn't work. You would also have to know how to encode a string properly for storage in the cookie. Read http://www.php.net/manual/en/function.setcookie.php for more information on cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: [snip] Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? [/snip] I suppose that you could do that if you were savvy enough to realize that automatic login to the intranet used a cookie for authentication and you knew how to format the cookie and properly hash a checksum stored in the cookie. The user information stored in the cookie would be verified against the AD via LDAP. First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache). So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes. What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure? Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her? I can't help but feel like I'm missing something. Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] > We are sitting here having a discussion on login techniques and I cam up > with a thought...why not have a login script write a cookie that then > coulod be read by PHP and compared against the AD via LDAP? Does anyone > see any gotcha's with that kind of process? Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? [/snip] I suppose that you could do that if you were savvy enough to realize that automatic login to the intranet used a cookie for authentication and you knew how to format the cookie and properly hash a checksum stored in the cookie. The user information stored in the cookie would be verified against the AD via LDAP. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
Quoting [EMAIL PROTECTED]: [snip] As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap [/snip] We are sitting here having a discussion on login techniques and I cam up with a thought...why not have a login script write a cookie that then coulod be read by PHP and compared against the AD via LDAP? Does anyone see any gotcha's with that kind of process? Couldn't I write my own cookie to fool the authentication into thinking I'm somebody else? -- Rick Emery "When once you have tasted flight, you will forever walk the Earth with your eyes turned skyward, for there you have been, and there you will always long to return" -- Leonardo Da Vinci -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] LDAP and Single Sign On
Kerberos - there is an apache module for it. On 3/7/06, Justin Cook <[EMAIL PROTECTED]> wrote: > > We are developing an intranet for my company. I would like to implement a > single sign on service. We have Active Directory on one server and the > intranet is being housed on a Redhat Linux server. When the internal user > pulls up the intranet, I would like it to check to see if they successfully > joined the domain when they logged into their personal machine, if so they > do not need to log on to the intranet. Does anybody have any links to > tutorials on this? Thanks! >
RE: [PHP] LDAP and Single Sign On MORE THOUGHTS
[snip] As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap [/snip] We are sitting here having a discussion on login techniques and I cam up with a thought...why not have a login script write a cookie that then coulod be read by PHP and compared against the AD via LDAP? Does anyone see any gotcha's with that kind of process? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
[snip] We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks! [/snip] Just to be clear, you want to take the network logon (from the Windows environment) and compare it against the AD via LDAP when someone accesses the intranet to make sure that they are authorized? I don't think that it is possible; it is a question that I have asked before. I have seen this sort of behavior before; when all of the boxes were Windows boxes (IIS web servers, etc). As far as I can tell you will have to ask the user to login at the web application level again, but you can verify it against your AD via LDAP with the basic stuff from http://www.php.net/ldap -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
I've been there. I can connect and search my active directory, that's no problem. I'm more curious on how to check to see if they have already authenticated to the domain. _ From: Shaunak Kashyap [mailto:[EMAIL PROTECTED] To: Justin Cook [mailto:[EMAIL PROTECTED], php-general@lists.php.net Sent: Tue, 07 Mar 2006 12:06:42 -0600 Subject: RE: [PHP] LDAP and Single Sign On Maybe this will help: http://us2.php.net/manual/en/ref.ldap.php Shaunak Kashyap Senior Web Developer WPT Enterprises, Inc. 5700 Wilshire Blvd., Suite 350 Los Angeles, CA 90036 Direct: 323.330.9870 Main: 323.330.9900 www.worldpokertour.com Confidentiality Notice: This e-mail transmission (and/or the attachments accompanying) it may contain confidential information belonging to the sender which is protected. The information is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this information is prohibited. If you have received this transmission in error, please notify the sender by reply e-mail and destroy all copies of this transmission. > -Original Message- > From: Justin Cook [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 9:55 AM > To: php-general@lists.php.net > Subject: [PHP] LDAP and Single Sign On > > We are developing an intranet for my company. I would like to implement a > single sign on service. We have Active Directory on one server and the > intranet is being housed on a Redhat Linux server. When the internal user > pulls up the intranet, I would like it to check to see if they > successfully joined the domain when they logged into their personal > machine, if so they do not need to log on to the intranet. Does anybody > have any links to tutorials on this? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] LDAP and Single Sign On
Maybe this will help: http://us2.php.net/manual/en/ref.ldap.php Shaunak Kashyap Senior Web Developer WPT Enterprises, Inc. 5700 Wilshire Blvd., Suite 350 Los Angeles, CA 90036 Direct: 323.330.9870 Main: 323.330.9900 www.worldpokertour.com Confidentiality Notice: This e-mail transmission (and/or the attachments accompanying) it may contain confidential information belonging to the sender which is protected. The information is intended only for the use of the intended recipient. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking of any action in reliance on the contents of this information is prohibited. If you have received this transmission in error, please notify the sender by reply e-mail and destroy all copies of this transmission. > -Original Message- > From: Justin Cook [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 9:55 AM > To: php-general@lists.php.net > Subject: [PHP] LDAP and Single Sign On > > We are developing an intranet for my company. I would like to implement a > single sign on service. We have Active Directory on one server and the > intranet is being housed on a Redhat Linux server. When the internal user > pulls up the intranet, I would like it to check to see if they > successfully joined the domain when they logged into their personal > machine, if so they do not need to log on to the intranet. Does anybody > have any links to tutorials on this? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] LDAP and Single Sign On
We are developing an intranet for my company. I would like to implement a single sign on service. We have Active Directory on one server and the intranet is being housed on a Redhat Linux server. When the internal user pulls up the intranet, I would like it to check to see if they successfully joined the domain when they logged into their personal machine, if so they do not need to log on to the intranet. Does anybody have any links to tutorials on this? Thanks!