Authenticate to Active Directory Groups

[TomF]

Hello, a very useful feature to have for a business or enterprise environment is a way to authenticate against Active Directory groups. This can be especially useful in creating corporate Intranets.

For example, let's say you have the following Active Directory security groups:

Human Resources
Finance
Marketing

In building a PHPMaker site for an Intranet, if we could tie authentication to Active Directory groups, we could create an area where Human Resources users can authenticate for purposes of adding records and documents to the "HR" section of the Intranet while Finance and Marketing users get only View access. Likewise, users in Finance can have their own areas and databases for adding and modifying information they need while other groups can have View access or no access at all. Maintaining permissions via Active Directory simplifies so much for the developer, end users (no more need to remember multiple user names and passwords) and system administrators.

Having this feature would provide a solid alternative to SharePoint.

Thanks!

[Webmaster]

If "areas" means "tables", you want User Level Security with Active Directory. Note that:

1. There is an advanced setting "Authentication mode" (v2017), you can choose "LDAP" to login. (Active Directory uses LDAP.)

2. Active Directory does not have info about the tables in your database, as explained in the help file (under User_CustomValidate server event), you still need the user table to store user information such as User ID and User Level, although the password field value can be empty or any value if you return TRUE. Since you need User Level Security, you also need the User Level table and User Level Permissions table.

3. If you need to get additional info from the Active Directory (e.g. User Level of the user), you can use ldap_* functions in User_Validated server event (see Server Events and Client Scripts in the help file) and the global variable $EW_LDAP_CONN which is result of ldap_connect(). The user name can be retrieved inside the event using $rs["<username>"] where <username> is the user name field name of your user table.

4. After determining the user level of the user, you can assign user level to the logged-in user using the LoginUser($userName = NULL, $userID = NULL, $parentUserID = NULL, $userLevel = NULL) method in User_Validated event, e.g.

$myUserLevel = <based on your additional Active Directory info>;
$this->LoginUser(NULL, NULL, NULL, $myUserLevel);

[TomF]

Apparently my posting was not clear. The feature I am requesting is to tie authentication within PHPMaker to Active Directory GROUPS. If this awesome feature were available, I could easily apply permissions to the site base on groups, not the entire set of active directory users. Using your suggestion, all users in AD are authenticated.

[Webmaster]

1. You can use User_CustomValidate server event (see Server Events and Client Scripts in the help file) to validate user in your own way such as validating the user's group. In such case set "Authentication mode" as empty (not "LDAP").
2. Alternatively, you can use User_Validated server event to check the logged-in user's group and assign user level to the user by LoginUser() as explained above. Note that with User Level Security, users (even logged-in) can only see tables that their user level has permissions to access.
3. As explained, groups in Windows Active Directory does NOT have any info about the tables in your database. It cannot tell which tables and which pages of a table that an user of a particular group can access. There is some business logic, however simple, only yourself know and you must provide yourself, e.g. by the suggested User_CustomValidate or User_Validated server event. It can't be fully automatic.

[tom_f]

But is the reverse possible, by polling the "memberof" attribute of all users in Active Directory? If a user has a specific memberof attribute, access can be granted or blocked.

e.g. authenticate.php

<?php
// Initialize session
session_start();

function authenticate($user, $password) {
if(empty($user) || empty($password)) return false;

// Active Directory server
$ldap_host = "server.college.school.edu";

// Active Directory DN
$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";

// Active Directory user group
$ldap_user_group = "WebUsers";

// Active Directory manager group
$ldap_manager_group = "WebManagers";

// Domain, for purposes of constructing $user
$ldap_usr_dom = '@college.school.edu';

// connect to active directory
$ldap = ldap_connect($ldap_host);

// verify user and password
if($bind = @ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);

// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if(strpos($grps, $ldap_manager_group)) { $access = 2; break; }

// is user
if(strpos($grps, $ldap_user_group)) $access = 1;
}

if($access != 0) {
// establish session variables
$SESSION['user'] = $user;
$SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}

} else {
// invalid name or password
return false;
}
}

[Webmaster]

Webmaster wrote:

1. You can use User_CustomValidate server event (see Server Events and Client Scripts in the help file) to validate user in your own way such as validating the user's group. In such case set "Authentication mode" as empty (not "LDAP").

The business logic is right in the code you posted yourself, simply use it in User_CustomValidate server event, e.g.

include("authenticate.php");
return authenticate($usr, $pwd);

That's it.

However, as said, groups in Windows Active Directory does NOT have any info about the tables in your database. It cannot tell which tables and which pages of a table that an user of a particular group can access. If you use Advanced Security, you still need the user table to store user information such as User ID and User Level, although the password field value can be empty or any value if you return TRUE.

[tom_f]

I'm not looking to tie AD groups to tables inside the databases, just the PHP pages. LDAP authentication is already automated into your product. If there's any way that automation can be taken a step further by including AD groups.

Having to manually add code for something that really should be automated isn't going to work for me. Plus, I have more than 50 security groups within Active Directory. I am in a Windows shop that relies heavily on Active Directory for security and having to update code to keep pace with all of the change is not an option.

[Webmaster]

Webmaster wrote:
User_CustomValidate server event, e.g.
include("authenticate.php");
return authenticate($usr, $pwd);

tom_f wrote:
I'm not looking to tie AD groups to tables inside the databases, just the PHP pages.

Then above solution is exactly what you need. Your function authenticates the AD group.

Webmaster wrote:
There is some business logic, however simple, only yourself know and you must provide yourself, e.g. by the suggested User_CustomValidate or User_Validated server event. It can't be fully automatic.

You do need to write your authentication logic. The bottom line is, how would any program possibly know to which groups you grant access? Not to mention groups may be changing. Using your own function as example, if you don't write it yourself, how would any program knows automatically that you grant access level 2 to the "WebManagers" group and access level 1 to the "WebUsers" group? Please understand that there are too many ways to authenticate an user, AD users may want to check the groups, LDAP users may want to check others, it is not possible to put everything in a form for you to just enable or disable without coding, and that's why the server events are provided.