Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Authentication
- Thread starter digatle
- Start date
MikeBronner
Programmer
If your users are already stored in a database and need to log in to the website, then simply at a foreign key field to your user table that refers to the priviledges table (which you might need to create, if it doesn't already exist). In the priveledges table you would store the different levels of access, i.e. 'Guest', 'User', 'Admin'.
Then in your navigation system, you do a check on what priveledges the user has, and build the menu accordingly.
I think that's what you're looking for?
Take Care,
Mike
Then in your navigation system, you do a check on what priveledges the user has, and build the menu accordingly.
I think that's what you're looking for?
Take Care,
Mike
- Thread starter
- #3
I'm trying to get a feel for how the right way in addressing the whole authentication issue. We don't have a database per-say rather we're wanting to use Active Directory to accomplish it. We currently have a script that will enable us to get the users information (pasted below) however trying to get the right fields and such will be very much a daunting task for us.
What I'm trying to figure out is more or less like should we do a routeen that says "If logged in continue else make them login." Or put the authentication based on the particular pages you visit and if so lock it down by how?
This is simply a starting point to a long journey.
Digatle
What I'm trying to figure out is more or less like should we do a routeen that says "If logged in continue else make them login." Or put the authentication based on the particular pages you visit and if so lock it down by how?
This is simply a starting point to a long journey.
Digatle
Best way (if the site is hi volume) is to use table based authentication...create a db table like users
User_table
userID
UserName
Userpass
UserAuthLevel
//other fields as required (like email etc)
The UserAuthLevel is set when the user signs up, usually with a default level of 0 or 1 to indicate basic access to the regular site pages.
Then with a separate ChangeAuth.php page, you could then grant the user higher levels of access
2 = forum mod access - move stuff, delete posts etc
3 = admin level - change/add pages etc
4 = superuser - control over all functions of site, bring down or start DB etc
For those pages that are protected, the script checks the UserAuthLevel for the appropriate values and then gives the user access to those functions.
Bastien
Any one have a techie job in Toronto, I need to work...being laid off sucks!
User_table
userID
UserName
Userpass
UserAuthLevel
//other fields as required (like email etc)
The UserAuthLevel is set when the user signs up, usually with a default level of 0 or 1 to indicate basic access to the regular site pages.
Then with a separate ChangeAuth.php page, you could then grant the user higher levels of access
2 = forum mod access - move stuff, delete posts etc
3 = admin level - change/add pages etc
4 = superuser - control over all functions of site, bring down or start DB etc
For those pages that are protected, the script checks the UserAuthLevel for the appropriate values and then gives the user access to those functions.
Bastien
Any one have a techie job in Toronto, I need to work...being laid off sucks!
MikeBronner
Programmer
ah! the active directory issue 
I've been there before. There are methods to do this using LDAP. Check out this thread: thread774-356151
Take Care,
Mike
I've been there before. There are methods to do this using LDAP. Check out this thread: thread774-356151Take Care,
Mike
- Thread starter
- #6
Is there a way to do the same thing but using Active Directory? Here's the script I said was below (oops)
<?php
$ldap_host = "dnsdhcp1";
$base_dn = "DC=TFCU,DC=org";
$filter = "(samaccountname=".$HTTP_GET_VARS['uname']."
";
//$ldap_user = "CN=Joe User,OU=Sales,DC=php,DC=net";
$ldap_user = "TFCU\\administrator";
$ldap_pass = "focus";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit(">>Could not connect to LDAP server<<"
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit(">>Could not bind to $ldap_host<<"
$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<"
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<p>";
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
echo $data.": ".$info[$i][$data][0]."<br>";
}
ldap_close($connect);
?>
Basically you goto and you get all the information about my name from Active Directory. Works like a champ.
However this whole authentication issue arrises really when it comes to what they have permission to is something like a $rights variable should be defined? So like if its a common page everyone can come to make $rights = all and then when it comes to division pages say $rights = br36 where if their userID has a CN=br36 in it they can see the page.
Digatle
<?php
$ldap_host = "dnsdhcp1";
$base_dn = "DC=TFCU,DC=org";
$filter = "(samaccountname=".$HTTP_GET_VARS['uname']."
";//$ldap_user = "CN=Joe User,OU=Sales,DC=php,DC=net";
$ldap_user = "TFCU\\administrator";
$ldap_pass = "focus";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit(">>Could not connect to LDAP server<<"
;ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit(">>Could not bind to $ldap_host<<"
;$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<"
;$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<p>";
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
echo $data.": ".$info[$i][$data][0]."<br>";
}
ldap_close($connect);
?>
Basically you goto and you get all the information about my name from Active Directory. Works like a champ.
However this whole authentication issue arrises really when it comes to what they have permission to is something like a $rights variable should be defined? So like if its a common page everyone can come to make $rights = all and then when it comes to division pages say $rights = br36 where if their userID has a CN=br36 in it they can see the page.
Digatle
MikeBronner
Programmer
I think you're on the right track. If you add another field to the active directory which defines the user's role, then you could authenticate against that.
Take Care,
Mike
Take Care,
Mike
MikeBronner
Programmer
Oops, just noticed that the other thread was in ASP, and not in PHP. Sorry 
Take Care,
Mike
Take Care,
Mike
- Thread starter
- #9
This is PHP not ASP. The user's roll would come from the memberof: CN= value. But see we're obviously have people with multiple CN values because they have access to multiple parts of the site.
Obviously later on the road we're going to have to figure out how to actually get the value "mamberof" and the CN= values (multiple) into an array because of the multiple access to different area's issue.
I'm more looking now into figuring out how in PHP should we code this whole process rather as an include and fail or something else.
Digatle
Obviously later on the road we're going to have to figure out how to actually get the value "mamberof" and the CN= values (multiple) into an array because of the multiple access to different area's issue.
I'm more looking now into figuring out how in PHP should we code this whole process rather as an include and fail or something else.
Digatle
- Status