Topic: Using mySQL for Active Directory authentication

[DarkRanger]

I hope someone here can help me. What I am trying to do is use mySQL scripting to check if a user exists in our Active Directory (on MS Windows Server 2003).

I have googled quite a bit and asked on a local forum (pcformat.co.za) if it is possible, and as far as I can tell, there isn't a definite answer. Nobody seems sure about it.

So now I would like to know, is it possible to authenticate a user from the Active Directory in mySQL? If it is possible, how do I do this?

Thank you.

[ajlisowski]

You likely wouldnt be able to use mysql to validate a user in AD. You could, however, use PHP to do so using the LDAP library.

I have done so, basically requiring a log-on which validates an active directory binding which allows the user access to an intranet system. I do not use mysql for any of the authentication process (except I do set system admins in mysql to provide certain AD users access to the system's backend  functionality)

What exactly are you looking to accomplish? Are you using PHP?

[DarkRanger]

Could you perhaps explain the LDAP library to me and also how I would use it to achieve what I want to?

I just want to be able to check if a user exists in active directory during login. If the user doesn't exist in active directory, the user won't gain access, easy as that. This is to enable access to the intraweb for only company employees. The thing is, I need to use the AD for this as our company has a policy on passwords that makes passwords expire every 3 months. So I don't want to update the DB with new passwords every time a password changes.

[ajlisowski]

This should probably be moved to PHP and not mysql since if you are validating through AD you wont need mysql.

http://php.net/manual/en/book.ldap.php

Basically ldap is a protocol which will allow you to query your active directory database. For example, you could prompt a user for username and password and then use ldap to validate this binding in AD. You could also grab all users in a certain group or with certain fields.

http://www.php.net/manual/en/function.ldap-bind.php

There are PHP classes available which already do this

http://adldap.sourceforge.net/

I happened to write my own which is probably a lot worse, but I did so to get an understanding of what I was doing. Its been a few months since Ive messed with the code behind my authentication, but basically you connect to the AD server, then to validate a login you simply attempt to use the ldap-bind function to try and connect as that user.

Im definately no expert, as I hadnt even heard of AD until earlier this year. My company actually wants a single sign on solution where we will automatically bind the user based on windows credentials (so the intranet wouldnt even prompt a login if it they were already on the domain) I have yet to accomplish that since most apache mods for it seem to be unsupported. But I have gotten the system to prompt for credentials and validate on AD.

I would look at the class I linked to, and some tutorials on LDAP (jsut google php ldap) and using the tutorials the the php code in the class, learn how to access AD in php.

Im no where near experienced enough to give you a good breakdown of what to do, but if you have any specific questions after looking at the class or some tutorials feel free to ask.

[DarkRanger]

Thanks so much for your reply. This is by far the best answer I have received and I will surely look into this. Thanks so much again.