RE: LDAP, Active Directory, and permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> -----Original Message-----
> From: Chris Knipe [mailto:cknipe@xxxxxxxxxxxxx] On Behalf Of Chris Knipe
> Sent: Tuesday, November 30, 2010 10:52 PM
> To: php-general@xxxxxxxxxxxxx
> Subject: RE:  LDAP, Active Directory, and permissions
> 
> Hi,
> 
> > Chris,
> >
> > 1) Shouldn't the OU security permissions be set within the AD itself?
> > 2) If the above is done, then the user account that's being
> > authenticated shouldn't be able to access privileged information.
> 
> 1) Not sure.  The permissions I'm after is similar to that of NTFS
permissions
> on the file system.  Essentially, it is a way to restrict an application
to read
> certain OU's or Objects completely, making it invisible.
> FYI... http://technet.microsoft.com/en-us/library/cc785913(WS.10).aspx

I guess you didn't read far down enough to 'User Authentication':  'Active
Directory ... to access objects...'  (Note that every OU is the same any
network resource.)  That's exactly what I mentioned.  OU security settings
is similar to NTFS, user/group with the lesser privilege applies.

> 
> 2) This is completely irrelevant to authentication.  See point 1 above.

It's completely relevant, if you set the permissions on the OUs. (How do you
think have the access permission to the OUs?  Are a domain/enterprise admin?
Create a test a user account and an OU.  Set the security permissions.  Test
with the user account on accessing that OU and compare it to a domain admin
account.) The app that logins under a certain account would be restricted to
the set permissions.  If the users are using the PHP app then the app should
be passing the user's authentication along to AD for authentication instead
of a network service type account to login and then validate user's
authentication to see if the user is a valid.  Thus the security is
maintained/restricted to each individual login.  (Think of as network share
mapping.  You can login to a share and still change to a different user
account afterwards.)  If you try to do a work around in C# or a DLL of some
type as you mentioned earlier, you'll have to do the same thing.  So, I
strongly suggest you look into the adLDAP and modify accordingly if the app
isn't behaving as I mentioned.  Also, look into these [1] & [2].

> 
> > Just curious, are you using phpldapadmin?
> 
> A modified version of adLDAP, http://adldap.sourceforge.net/
> 
> Regards,
> Chris.
> 

Regards,
Tommy

[1] http://support.microsoft.com/kb/320528
[2] http://support.microsoft.com/kb/326690


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux