Php – How to get LDAP to pass the currently logged-in user’s credentials to a local Apache server

apache-2.4ldapPHPwindows 7

I'm trying to get SSO (single-sign on) working on a local osTicket installation. I found the HTTP passthru plugin on the osTicket website and have installed it in osTicket. I've made sure the plugin is working by making sure I have access to the plugin settings. So what should happen, as I understand it, is that the user's credentials is read from Windows and then passed directly into osTicket so that the user is automatically logged in. Please correct me if I'm wrong about how the plugin should work. I also made sure that the LDAP plugin is working and installed in osTicket. I did some research on why the automatic login was not working, and realized that HTTP authentication was not the same as Windows AD authentication. I looked up SSPI, Kerberos, and more to see if I could get Windows credentials to the Apache server and assumed that the LDAP module should be able to get those credentials. Again, please correct me if I'm wrong about how the LDAP module works. Eventually, I just nuked my XAMPP install and started over with a WAMP installation. Got LDAP working on that and now I'm trying to find a way to get credentials to Apache. I've written a simple script that is supposed to echo the currently logged in user.

<?php
$user = $_SERVER['REMOTE_USER'];
?>
<html>
<body>
<?php echo $user;?>
</body>
</html>

However, when I run this script I get the following error.

( ! ) Notice: Undefined index: REMOTE_USER in C:\wamp\www\servertest.php on line 2

This tells me that the superglobal for $_SERVER is not getting Windows credentials for the currently connected user. How can I fill in this superglobal array with Windows credentials? Are there any configuration options that need to be added to my HTTPD.conf?

Best Answer

you need to configure your wamp installation for ldap and/or kerberos authentication and those variables will be available to your php scripts.

For Apache 2.2 (most commonly found today): http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

For Apache 2.4: http://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

If you require single sign on, then you will need to configure mod_kerberos as well. I have never used xampp or wamp so I have no idea if they have mod_kerberos.

If you want something that just works without having to learn how it works, then you can install IIS as you are running Windows anyway. A non home modern version of Windows desktop will allow to run it with some restrictions on the number of simultaneous connections, whereas a server version will not have that limitation.

Related Solutions

Ldap – Apache LDAP authentication (mod_auth_ldap) on MacOS Server (10.5)

Good luck using apsx to build mod_authnz_ldap against Apple's httpd.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
cd modules/aaa
/usr/sbin/apxs -cia mod_authnz_ldap.c

mod_authnz_ldap.c:41:2: error: #error mod_authnz_ldap requires APR-util to have LDAP support built in.
...

But you can build your own httpd with ldap without much effort.

tar -xzf httpd-2.2.15.tar.gz 
cd httpd-2.2.15
./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-ldap --enable-authnz-ldap --enable-ssl --with-included-apr --with-ldap 
make; make test; make install

Disable Apple's httpd in Server Admin and create your own launchd plist.

sudo cp -p /System/Library/LaunchDaemons/org.apache.httpd.plist /System/Library/LaunchDaemons/your_domain_name.httpd.plist

Edit your plist to point to your httpd (replace /usr/sbin/httpd with /usr/local/apache2/bin/httpd) and change the Label.

Update /usr/local/apache2/bin/apachectl to use launchd as per this patch:

--- /usr/local/apache2/bin/apachectl    2009-04-01 09:56:16.000000000 -0700
+++ apachectl               2009-04-02 20:30:33.000000000 -0700
@@ -65,6 +65,9 @@
 # --------------------                              --------------------
 # ||||||||||||||||||||   END CONFIGURATION SECTION  ||||||||||||||||||||

+LAUNCHCTL="/bin/launchctl"
+LAUNCHD_JOB="/Library/LaunchDaemons/your_domain_name.httpd.plist"
+
 # Set the maximum number of file descriptors allowed per child process.
 if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then
     $ULIMIT_MAX_FILES
@@ -76,8 +79,17 @@
 fi

 case $ARGV in
-start|stop|restart|graceful|graceful-stop)
-    $HTTPD -k $ARGV
+start)
+    $LAUNCHCTL load -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+stop|graceful-stop)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB
+    ERROR=$?
+    ;;
+restart|graceful)
+    $LAUNCHCTL unload -w $LAUNCHD_JOB 2> /dev/null
+    $LAUNCHCTL load -w $LAUNCHD_JOB
     ERROR=$?
     ;;
 startssl|sslstart|start-SSL)

No, you will not be able to use Apple Server Admin to configure and administer your httpd. But Server Admin cannot provide a GUI that encompasses all of httpd's configuration options anyway. Add /usr/local/apache2/bin to your PATH (or always specify full paths). Configure and test httpd, and load it via launchctl:

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
AuthType Basic
AuthName "Your Network"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your_domain_name/dc=xxx,dc=yyy
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberuid
Require valid-user
# Require ldap-group cn=accounting,cn=groups,dc= xxx,dc=yyy
Satisfy any

/usr/local/apache2/bin/apachectl -S

sudo launchctl load -w /Library/LaunchDaemons/your.domain_name.httpd.plist

http://www.opensource.apple.com/ and http://www.macports.org/ are good sources for hints on how to compile open source software for OSX.

Ldap – Apache, Trac and LDAP – how to glue them all together

If you need to test your "Apache+LDAP+Trac" binding, you don't need to run standalone bin/tracd.

First try to use Apache LDAP authentification with Trac without LdapPlugin(it just adds ability to manage trac permissions for LDAP groups). You should configure authentifacation on /trac/login location, and Trac will automatically get authentificated user name. Look here: TracModWSGI - ConfiguringAuthentication This works fine in my setup(Debian Squeeze, Trac 0.12). So just remove all your modifications from from trac.ini.

When you will get working authentification, you may start configuring LdapPlugin.

WSGI is IMHO best way to run python application on Apache, it's fast and simple.

Best Answer

Related Solutions

Ldap – Apache LDAP authentication (mod_auth_ldap) on MacOS Server (10.5)

Ldap – Apache, Trac and LDAP – how to glue them all together

Related Topic