NYCPHP Meetup

[Tim Sailer]

On Thu, Nov 02, 2006 at 09:14:31AM -0500, R. Mariotti wrote:
> Gentlemen;
> 
> A few pointers please?
> 
> My department has been charged with replacing multiple existing login 
> mechanisms that support our PHP web intranet applications.  Fortunately 
> we are a 100% Linux/OSS shop.

Outstanding!

> My thoughts immediately went towards a centralized LDAP mechanism and 
> designing/creating a single callable login facility to accomplish this.

Good idea.

> As I personally have ZERO experience working with LDAP, I was hoping 
> that those of you who have had experience can share your advice as to 
> what works/what doesn't.
> 
> Am I all wrong in my thoughts?  Are there other better solutions one 
> should be looking at?

Well, the route you are taking is a good one. LDAP, done right, is robust.
You should try to get *all* authentication done via LDAP. Linux has PAM 
modules to do authentication, and you can do authorization with it too,
utilizing the valid hosts, if you restrict users from certain machines.
If you are just looking for authentication, it's a no-brainer, for the most
part.

PHP has excellent hooks into LDAP. php.net has good examples of how
to use them. You just want to try to do an authenticated bind to the
server using username and password. If that works, you have the right
credentials, and go on your merry way (use this within sessions for
ease).

Tim

PS: I use LDAP for just about everything for my ISP (buoy.com), including
the backend for FreeRADIUS, which replicates out to 4 machines, so LDAP
is never down.

-- 
Tim Sailer <sailer at bnl.gov> 
DoE Intelligence and Counterintelligence - Cyber Division
Northeast Regional Counterintelligence Office
Brookhaven National Laboratory  (631) 344-3001