How can I do pass-through authorization by username from ad ldap? As an idea, you can start on ie and get a name there, but I would like to cross-browser compatibility.

As I understand, PHP is powerless here. Is this to be done on ASP?

How can this be implemented? Those. the user enters the internal portal, I get his username from hell and if he is in the database, then he will be missed

  • Not quite clear what is meant by pass-through authorization? The user enters the password from his AD account? - Ella Svetlaya
  • And how PHP can work with LDAP too. - Ella Svetlaya
  • and how do you get the current user ?: - des1roer
  • And how does a user log in? He has to enter at least something, even a login-password ... so we check them in LDAP. Or I did not understand the question ... We have all the students in Moodle (PHP) included ... - Ella Svetlaya
  • Or do you need in the web application to get the data of a user authorized in the operating system on a domain PC? From your question it is not clear ... - Ella Svetlaya

2 answers 2

If I understood the question correctly: you need to get the name of the current user authorized in the domain PC operating system.

If the PHP application is installed on IIS, then this is done via the AUTH_USER variable. Checked - works on IE, Chrome and FireFox. Here is my verification code:

 <?php echo $_SERVER['AUTH_USER']; ?>

As a result, I get the username in the form: MYDOMAIN\user.name

There is only one BUT! In order for this solution to really work, you will have to abandon another type of authentication on the site (that is, only through AD).

Here's what you need to do in IIS: in the authentication settings (Authentication), enable (Enable) "Windows Authentication" and necessarily (!) Disable anonymous access (Anonymous authentication).

In IE and Chrome will work immediately, and FireFox will need to first put this add-on and put the site into trusted: https://addons.mozilla.org/ru/firefox/addon/integrated-auth-for-firefox/

    \ ldap_auth \ ldap_auth \ index.aspx.cs

    pretty dirty however

    myIdentity.Name will give the name from ad ldap

    on the side pkhp can do name processing

     using System; using System.Security.Principal; using System.Text; namespace ldap_auth { public partial class index : System.Web.UI.Page { protected void SimpleAuth() { WindowsIdentity myIdentity = WindowsIdentity.GetCurrent(); string identName = myIdentity.Name; string URI = "http://techbase.ru/mining"; Response.Clear(); StringBuilder sb = new StringBuilder(); sb.Append("<html>"); sb.AppendFormat(@"<body onload='document.forms[""form""].submit()'>"); sb.AppendFormat("<form name='form' action='{0}' method='get'>", URI); sb.AppendFormat("<input type='hidden' name='id' value='{0}'>", identName); // Other params go here sb.Append("</form>"); sb.Append("</body>"); sb.Append("</html>"); Response.Write(sb.ToString()); Response.End(); } protected void Page_Load(object sender, EventArgs e) { SimpleAuth(); } } }
    • That is, anyone can make a POST request with any username at the address you specified - and log in with his name? - Pavel Mayorov
    • Do you understand that you have discovered a huge hole in your site? - Pavel Mayorov
    • I'm not saying that this is ideal. but the user got to the uchetka. here is authorization - des1roer
    • Authorization is when the user cannot get into someone else's - Pavel Mayorov
    • but he cannot. he doesn't know someone else's password from account - des1roer