0

On different servers, I have applications in PHP and Java (other languages too). I am developing all new applications to use LDAP authentication so I don't have to do any user management, but more importantly, my users would have the same login credentials on all apps on all servers. There is an OpenLDAP server where users are defined.

For Java apps running in Tomcat, JBoss or WebSphere servers, I configured LDAP authentication and use the j_security_check action to authenticate. Users are restricted to different URL's based upon their role membership.

In Java, LDAP groups are mapped to roles. The HttpServletRequest class exposes an isUserInRole() method which I use within servlets to restrict which page sections and actions. As an example, the URL security won't let a user not in "finance" role from accessing those pages, and when displaying the menu, I suppress the items from being shown by checking the membership with HttpServletRequest.isUserInRole("finance") so a non-finance member doesn't see them.

In httpd/Apache 4.4 running on Oracle Linux 9.6, I've configured ldap and authnz modules to show a login form. It successfully authenticates with my LDAP server. I can configure the directives in httpd conf files so that people in selected ldap-group may access selected directories.

My question is, is there a isUserInRole method available in PHP to check group membership which is made available by mod_ldap so that I can show/hide items within my pages? Or do I need to connect to LDAP using PHP methods as given in https://www.php.net/manual/en/book.ldap.php ? In Java, the servlets do not need any separate code for LDAP connecting, searching or fetching.

Improve this question
3
  • Is this a PHP problem or a Java problem? "httpd/Apache 4.4" - how is that related, and which version are you really using? The most recent Apache version is 2.4.something Commented Oct 20 at 7:42
  • I had asked that in Java a facility exists when using LDAP authentication and if something similar was available in PHP running under Apache and using LDAP auth module. The version number was a typo. Commented Oct 21 at 5:40
  • Feel free to add all clarification to your question by editing it Commented Oct 21 at 6:33

1 Answer 1

Reset to default
1

There is no such native PHP function, but there is a decent chance that the Apache authentication injects the successfully authenticated group name into the environment where PHP can see it. Add a var_dump($_SERVER); to an existing page that has your authentication and check the output, you might see a variable like AUTHENTICATE_group, in which case you can just refer to $_SERVER['AUTHENTICATE_group'] in your PHP scripts to get the group that the current user matched against.

Otherwise, you'll have to perform a second hit to the LDAP server from PHP, then search and scan the results yourself. There's a decent chance someone has already written a library to do this sort of group search for you. You might check out the docs for symfony/ldap, directorytree/ldaprecord, or laminas/laminas-ldap. If not, it shouldn't be too difficult, something like this:

function isUserInRole(string $user, string $role): bool
{
    $ldap = ldap_connect(...);
    $search = ldap_search($ldap, ...); // filter for just $user
    $result = lget_get_entries($ldap, $search);
    return array_search($role, $result[0]['memberof']); // or wherever your groups are
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I think the authenticate_group populate only if the ldap-group is set in URL's protection as I don't see it. Yes, I;ve used the PHP LDAP functions previously, so shall go with them.
Exposing Login Information

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.