[snip] Yes, a single sign-on it is... It doesn't work together with Windows (and PHP) you mean? [/snip] No, not really. You can run PHP on a Linux or a Windows server and it does not have access to the initial login values (press cntl alt del to login) although ASP and .Net (auth_user, etc) do. This is something that I have wanted to do for years and we have even discussed on this list. The initial login has to be configured so that the computer is accessible either online or off and it can be either basic (plain text) or challenge/response (encrypted). If it is online it will typically look at an Active Directory server for authentication using LDAP as the method of communication. If it is offline the login will typically look at registry settings to determine if the login is authorized. Since PHP cannot read registry settings (neither can JavaScript) on the client that is out. Windows is aware of the logged in user, but exactly where that 'session' information is kept is a mystery to most of us. So PHP cannot be aware of a user who has performed the initial login. What we shoot for is Single Source Authentication. SSA uses LDAP to connect to AD for authentication purposes. It requires that the user login to each application, but since we are using the same authentication platform (within a corporate system) their username and password combo is the same as their initial login. If they change their password (which we can make them do on a regular basis using AD's password policies or they can do on their own -- we can also enforce password strength) then they are able to continue using the new password throughout the applications. This is a very high level overview and it doesn't even begin to talk about role or group management, but it is how we mitigate the username/password issue for corporate users. For a public web site the method may be quite a bit different. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
