Using ActiveDirectory to identify the users

Last edited by AndreasHeintze:
Modified links pointing to docs server
Mon, 28 Jan 2008 00:13 UTC [diff]


A solution

Using wikka as an Intranet knowledge management system, I don't want my user to signin in wikka because they already are known since they signed when booting their computer. However, we want to secure some pages through ACLs and we want to keep track of the modifications...
So here is a quick and dirty solution that works but still as a prototype and it is only checking the computer name for now.

Prerequisites

You must allow php_ldap

The code


1) Add a new field in the users database:

ALTER TABLE `wikka_users` ADD `alias` VARCHAR(75) NOT NULL


1) Add the following code in wikka.config.php

"user_identification" => "active_directory",


1) in wikka.php, just after:
Shouldn't it be Wakka.class.php now??? /AndreasHeintze

    // THE BIG EVIL NASTY ONE!
    function Run($tag, $method = "")
    {
        // do our stuff!
        if (!$this->method = trim($method)) $this->method = "show";
        if (!$this->tag = trim($tag)) $this->Redirect($this->Href("", $this->config["root_page"]));


Add the following code:

        // Check if active_directory is on and Active Directory user known
        if (($this->config["user_identification"]=="active_directory") && (!$this->GetUser()))
        {
            $idAD = $this->GetUserName();
            $sql = "SELECT name"
                . " FROM ".$this->config["table_prefix"]."users"
                . " WHERE alias = '"
                . mysql_real_escape_string($idAD)
                . "' limit 1";
            $hisname = $this->LoadSingle($sql);
            if ($hisname) {
                $this->SetUser($this->LoadUser($hisname["name"]));
            }
        }




How to use it?

The current system of registration will still work for the users out of the ActiveDirectory with no alias in the users database . The capabilities can be set off by putting "user_identification" => "wikka" (default value) in the wikka.config.php.
First, the users have to be somehow created (I would expect this do be done through a batch import of an ActiveDirectory). To test it quickly, simply fill the alias field with your computer name alias and its done. You will not have to sign again and the system will recognise your machine.

To Do

Deliver a way to feed the users database with an export from an ActiveDirectory (it is easy).
Identify the ActiveDirectory ID of the user (not only the computer).


CategoryUserContributions
Comments [Hide comments]
Comment by IanHayhurst
2005-02-18 15:43:14
please do ! (hate AD as I do ) It's just the sort of thing that get's this into corporate intranets Cheers Ian
2005-02-18 17:10:32
Excellent idea; does someone have any thoughts on the other way around?

I would like to restrict (http-) access to my Wikka-site by integrating tttp-auth with the wikka_user credentials.

Thanks for your comment,
- Mark
Comment by IanHayhurst
2005-11-15 17:13:53
The Computer name only was a big problem for us, as on multiuser machines you went in at the user that first registered, We got round it by installing The Vintella mod_auth vas and VAS software, but due to ticket sizes (apparently) it only seems to work with firefox (no problem for me but lots of IE users in the company). Trying the Open Source AD module for apache next now the server has an AD ticket... There maybe also be some mileage in doing an netbios lookup with the IP and finding the use, then getting details in LDAP lookup on the AD... could only work in a corporate environment
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki