open ldap authentication without redundant log-in

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi folks,

I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.

I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.

On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.

I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?


Re: open ldap authentication without redundant log-in wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it
Ldap authentication isn't too hard to get working with Apache (I've just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having a
redundant login. It "may" be possible using IIS and I.E. but I wouldn't
know, I wont support them ;-)  As far as I know, when you first fire up
the browser and point it at your web server the web server has no way of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at all.
You should always re-authenticate across applications. What's to stop a
user logging on to their terminal then walking away, allowing anyone to
access anything under their account?

Hope that helps?


Re: open ldap authentication without redundant log-in

Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

They're very anti-Micro$oft, so If I can find some reputable sources
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."

Thanks again,

Sacs wrote:
Quoted text here. Click to load it
Quoted text here. Click to load it


Re: open ldap authentication without redundant log-in wrote:
Quoted text here. Click to load it

It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...
"...dishonest and disgruntled employees top the list at about 80% as the
most likely source of attack"

"Most security breaches do not originate from external hackers, viruses
or worms, but from employees who, according to Gartner, commit more than
70% of unauthorised access to information systems. They are responsible
for more than 95% of intrusions"

Quoted text here. Click to load it
At least THAT's a good start ;-)

Quoted text here. Click to load it

That'd be the bidder suggesting an ActiveX control probably, no security
problems there. *cough*

Quoted text here. Click to load it

Good luck, Dan!


Quoted text here. Click to load it

Re: open ldap authentication without redundant log-in

Good stuff, Sacs.

Thanks a bunch,

Sacs wrote:
Quoted text here. Click to load it

Quoted text here. Click to load it
know it
Quoted text here. Click to load it

Re: open ldap authentication without redundant log-in wrote:
Quoted text here. Click to load it


It's not just LDAP - it's basic authentication with any web app.

When the user tries to access a restricted page, the web server (Apache
or IIS) sends an authentication header to the browser (the communication
is stateless - so the server doesn't know who's trying to access it).

The browser responds with the appropriate userid and password.  But
there's one problem - the browser was just started, so it doesn't know
what the userid and password are.  This was handled by another
application (the LDAP server login).

So, the browser (IE, NS, FF, whatever) has to ask the user for the
userid and password.  The user types them in; from then on any request
from this site will get the userid and password just entered.  But there
is no way to get this info from the LDAP signon app.

About the only way you could do this is to have access to the web server
itself protected by LDAP - i.e. behind a firewall controlled by LDAP or
something similar.  This is beyond my knowledge of LDAP.

But it can't be done with the web server and browser.


To reply, delete the 'x' from my email
Jerry Stuckle,
JDS Computer Training Corp.
Member of Independent Computer Consultants Association -

Site Timeline