LdapAuthPHP – a Little API for LDAP Based AuthN AuthZ in PHP applications
January 23rd, 2010 
Development, Identity Managment & AAI, PHP 
rastrano
- Image via Wikipedia
I released under open source licence a little tool that helps you in integrating a php application into an LDAP based AAI
Download it here! (google code)
Features:
- - Load balancing and HA beetween multiple LDAP servers
- - HTML Standalone Page Protector (if you are lazy you don’t need to write a login form)
- - BasicAuth Standalone Page Protector (wanna LDAP-protect an RSS feed?)
- - Custom attribute fetching (for AuthZ)
- - Configurable ldap2Session attribute mapping (LDAP Attr -> PHP Session Attr)
- - Access logging (to be improved and localized)
Usage example:
<?php
$pageURL = 'http';
if ($_SERVER["HTTPS"] == "on") {
$pageURL .= "s";
}
$pageURL .= "://";
if ($_SERVER["SERVER_PORT"] != "80") {
$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
} else {
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
}
session_name('MYAPP');
session_start();
if (!isset($_SESSION["user"])) {
include("LdapAuth.inc.php");
$ldap=new LdapAuth();
$ldap->setSessionAttr("user","uid");
$ldap->setSessionName("MYAPP");
$ldap->setRedirectPage($pageURL); //page where we get redirected after login (in this case self)
include("LdapStandalonePageProtector.inc.php");
}
else {
echo "Logged In As: ".$_SESSION["user"]."</hr>";
//paste here the old page code (or write the new page to protect)
}
?>
Configuration:
/* Configuration section: */
private $serviceUser="cn=LdapAuthenticator,ou=Groups,dc=mydomain,dc=com";
private $serviceSecret="serviceUSERpassword";
/* Tip: a service user is required (keeping enabled anonymous access is a bad thing)
* and you are supposed do write some ACL to limit the service user to read-only the cn
* and the uid attribute in the People tree
*/
private $BaseDn="ou=People,dc=mydomain,dc=com"; //where are the users in the tree?
private $UIDAttributeName="uid"; // what attribute you wanna search for the search & bind login?
//e.g. "mail" let users to login with their email address and password
private $ServerList = Array(
/* Multiple LDAP Servers: for load balancing/ HA redundancy mode, not for multi-ldap auth!!!!
* (Server MUST have some user tree synchronization mechanism e.g. <a class="zem_slink" title="OpenLDAP" rel="homepage" href="http://www.openldap.org/">OpenLDAP</a> syncrepl ) */
Array(
"ip"=>"123.123.123.123",
"name"=>"ldap-master",
"sslport"=>636,
"port"=>389
),
Array(
"ip"=>"ldap125.mydomain.com",
"name"=>"ldap-replica",
"sslport"=>636,
"port"=>389
)
/* You can add or remove LDAP server entries (But this is not multi-ldap:
* servers MUST have the same user tree */
);
private $accessLogFile="ldap.access.log"; //file where access will be logged
/* Optional parametes (keep it to empty or wrong string if you don't want AuhtZ attributes: */
/*
* Note: all attribute names MUST be written in lowercase e.g. givenName -> givenname
*/
/* Optional*/ private $AuthorizativeAttrName="member"; //can be multi-value
/* Optional*/ private $AuthorizativeJSONAttrName="x-garr-authoritativejsondata"; //single valued JSON String attribute e.g. {"myappLevel":"admin","yourappLevel":"guest"}
/*
* Other configuration options can be set programmatically, check
* for the setters methods of this class and call it before
* calling the method authenticate() into a page to protect.
*/
/* End configuration. */
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8c6f567d-9003-40aa-97b5-e6f144ee4610)
Tags: aai, api, authn, authz, google code, ldap, ldapauthphp, opensource, php
No Comments
Comments RSS
TrackBack Identifier URI
No comments. Be the first.
Leave a comment