OK - but how does this work vis-a-vis AD authentication and groups?
Good question - I only know how to do that via my own auth scripts. I use MediaWiki's LDAP integration for sign in and registration, but I use my own LDAP scripts to retrieve other information.
Here's a script that will retrieve information about a user. In my scripts, I don't need to authorize to retrieve public information - all I need is the application ID given me by the directory services. This script includes authentication at the end.
# Matt Hart - PHP-based authentication against the directory # Tested on Fedora Core 4 with Apache 2.0.54, PHP 4.3.11, OpenLDAP # OpenSSL, php-ldap
echo "<br>Attempting Secure LDAP Connection<br>";
$mh_ldaphost = "ldaps://yourdirectoryhost.com:636"; $mh_ldapconn = ldap_connect($mh_ldaphost) or die ("Failed"); echo "<br>Succeeded ... Testing app binding<br>";
# Bind using app credentials $mh_appid = "XXXXXXX"; // ****** Use your application id $mh_dn = "uid=" . $mh_appid . ",ou=theApps,o=dirIntuit.com"; $mh_bind = ldap_bind($mh_ldapconn, $mh_dn) or die("Failed"); echo "<br>Succeeded ... Get user corp ID</br>";
# Get the user's corporate ID $mh_search = "ou=employees,ou=people,o=dirIntuit.com"; $mh_userid = "XXXXXXXX"; // ****** User ID to find $mh_filter = "(uid=" . $mh_userid . ")"; $mh_search = ldap_search($mh_ldapconn, $mh_search, $mh_filter) or die ("Failed"); echo "<br>Succeeded: "; $mh_entries = ldap_get_entries($mh_ldapconn, $mh_search); $mh_corpid = $mh_entries[0]["intuitid"][0]; echo "CorpID=" . $mh_corpid;
# Authenticate the user echo "<br><br>Authenticating...<br>";
$mh_authdn = "intuitcorpid=" . $mh_corpid . ",ou=employees,ou=people,o=intuit.com"; $mh_authpass = "XXXXXXXX"; // ****** User password $mh_authbind = ldap_bind($mh_ldapconn, $mh_authdn, $mh_authpass) or die("Failed"); die("Success");
- MHart