On Thursday 17 August 2006 11:35, Michael B Allen wrote:
> Hi Alain,
>
> PlexSSO is by far the best and easiest solution available for PHP SSO
> with Active Directory. We provide:
>
> o Windows Integerated Authentication (WIA)
> o Script level access to user info like username, home drive, etc.
> o Script level access control using windows group names
>
> Someone else mentioned LDAP but I don't know why because it doesn't
> provide authentication [1]. For authorization LDAP doesn't automatically
> perform proper group expansion and is redundant to start with since the
> Kerberos ticket has the fully expanded groups in it already.
>
> Our authorization code very easy to use. An access check looks like:
>
> <?php
> if (plexsso_is_memberof("FOONET\\Managers")) {
> echo "You're a manager.";
> }
> ?>
>
> None of the mod_authz_* Apache modules can do this. These checks are
> also very fast. Once the SIDs for the groups used in your scripts are
> cached they're instantaneous.
>
> Check us out. It's very affordable (free for 25 users and 25 groups),
> we're adding major features in our next release, and we bring serious
> SSO experience to the table.
>
> http://www.ioplex.com/
>
> Mike
>
> [1] You could proxy the user's username and password to ldap_sasl_bind but
> aside from being a hack it's not SSO and doesn't scale because it requires
> communication with the DC whereas Kerberos does not. And it's insecure
> because you have to cache the users "credentials" in the user's session.
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>
> On Thu, 17 Aug 2006 12:14:18 +0200
>
> "Alain Roger" <raf.news@xxxxxxxxx> wrote:
> > Hi,
> >
> > I'm new to PHP, so sorry if my question looks like stupid.
> >
> > I have a web application which use authorization and authentication
> > process to log-in.
> > I would like to know if it exists a way to synchronize the authentication
> > with our Active Directory domain ?
> > Something like a single side-on.
> >
> > In fact, i want from my web application users to make them remember only
> > their login/pwd from Active directory to use my application.
LDAP can authenticate with Active Directory just fine:
http://www.google.com/search?hl=en&q=php+exchange+ldap+authentication&btnG=Google+Search
or
http://www.google.com/search?hl=en&lr=&q=php+active+directory+ldap+authentication&btnG=Search
The question is how secure is it. You can set up LDAP to use SSL, so that
would make it more secure. Kerberos is more secure than LDAP, and you
_could_ set it up so that the browser forwards the ticket on to mod_kerb for
authentication, thus not needing a sign-on other than to the domain. From my
experiences that isn't exactly easy to set up though.
--
Ray Hauge
Programmer/Systems Administrator
American Student Loan Services
www.americanstudentloan.com
1.800.575.1099
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
