How can I use active directory to assign permissions to a web application?

0
votes

I have several web applications developed using PHP and would like to set these up to allow user authentication through active directory (specifically so that users can authenticate using their domain credentials).

I am able to use LDAP to authenticate the user to a group that I have created, but am unsure how I can assign user permissions for the application. In the attributes for my group I noticed a field called "controlAccessRights" which looks like it uses these permissions - do I just need to assign one of these values to the group?

Can anyone provide me with any information on what the best way to assign permissions would be?

Thanks.

1
phpauthenticationactive-directoryldap

1 Answers

2
votes

The way I have done it in the past is to use group membership to dictate permissions. You can do a search for the MemberOf attribute of each user:

(&(objectClass=user)(memberOf=CN=example_group*))

Then in your code, you would have an if statement to determine what access rights are necessary based on what group they are a member of.

This may be a bit more readable than using the controlAccessRights attribute. You could have a "Web_Admin" group etc...

Of course there are other ways, I have just found it easy to use groups for website permissions since they are more visible.