LinuxQuestions.org - Apache redirect based on LDAP authentication

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Apache redirect based on LDAP authentication (https://www.linuxquestions.org/questions/linux-server-73/apache-redirect-based-on-ldap-authentication-627513/)

starmonche

03-12-2008 09:55 AM

Apache redirect based on LDAP authentication

I'm building a job request intranet site using PHP and MySQL and am looking for a way to either redirect a user to a certain page based on their LDAP login or be able to disable certain pieces of the page based on their AD username/group.

For example, people in the admin group could have full control and be able to edit all records but anyone else would only be able to submit new records and see records that they've submitted.

My current "solution" is to create a shortcut on each user's desktop that passes along their AD login name when opening the site. (IE http://sitename/jrequest.html?user=thilfiger) but I'd prefer doing it the "right" way.

The webserver is Ubuntu and it's on the domain (as in I can log on locally using my domain credentials) so that piece is already taken care of. The server is running the latest stable Apache, MySQL, and PHP versions.

frndrfoe

03-12-2008 10:31 PM

unless there is something in the environment variables that are sent from the browser to the web server that you can key off of like the hostname you will have to reley on the uname/passwd that they provide when they access the page. Then you could use the php scripts to determine their access rights.

leebrent

03-12-2008 11:09 PM

You could use a PHP query to pull information out of LDAP. This would allow you to store a URL in LDAP for that user?

http://ca3.php.net/ldap

Creating a secure session variable with the user information in it would be the easiest. Might pull some level of access out of LDAP an LDAP query to use when figuring out what level of access that user should have on site.

Cheers,

Brent.

starmonche

03-21-2008 10:42 AM

AuthType Basic
AuthName "LDAP Auth"
AuthBasicProvider ldap
AuthLDAPBindDN cn=USERNAME,ou=Accounts,ou=Admin,DC=companyname,DC=com
AuthLDAPBindPassword "PASSWORD"
AuthLDAPURL ldap://10.0.0.28/ou=Admin,dc=companyname,dc=com?sAMAccountName?sub?(objectClass=user)
AuthzLDAPAuthoritative off
Require valid-user

--------------------------

The above text is my .htaccess file and it works by binding to LDAP with the user "USERNAME" and the password "PASSWORD" and then validates the existence of the account/password the user provides when opening the page. Can this be rewritten to bind and validate with the credentials provided by the user instead of the account I've hard-coded here?

All times are GMT -5. The time now is 08:18 PM.