[TriLUG] PHP "trusted connection" w/ MSSQL (this is mostly a PHP question)

David McDowell turnpike420 at gmail.com
Wed Dec 15 23:35:28 EST 2004


Jeremy, yes I think you see what I'm going for... so I can briefly
tell you that as mentioned before on the list, I am able to use this
method to have Apache ask for username/password and authenticate users
against Microsoft ADS:

http://www.turnpike420.net/linux/Apache_ADS_AuthLDAP.txt

That said, Apache auth isn't the issue.  And b/c of the login, I now
have values for $username = $_SERVER['PHP_AUTH_USER'] and $password =
$_SERVER['PHP_AUTH_PW'].  The problem is using those values in the php
function: mssql_connect($hostname,$username,$password);  So I can pass
the values to the database but they pass in plain text instead of in
the way that Microsoft understands them... in particular, it is MSSQL
that is taking this information and doing it's own check against ADS
for authentication.  I found a solution to this aspect of the problem.
 In php.ini is: mssql.secure_connection = Off ... I turned it On. 
Unfortunately that wasn't the final fix either.

Full solution coming... it's slick!

David McD


On Wed, 15 Dec 2004 21:24:41 -0500 (EST), Jeremy Portzer
<jeremyp at pobox.com> wrote:
> 
> David,
> 
> I think I see what you're after:  You want to be able to have
> authenticated Windows users browse to your Linux/Apache/PHP page without
> being challenged for their credentials, right?  (And/or get these
> credentials passed along to SQL Server, if appropriate.)
> 
> I don't think this is possible with Apache, because IIRC, IE and IIS
> communicate this authentication data in some unique,
> non-standard-compliant way.  (Actually, I think the HTTP protocol allows
> for extentions of the authentication scheme beyond Basic Authentication,
> so it's not *totally* standards-breaking, but it's not something that
> other browsers and web servers would easily support IIRC.)
> 
> I suppose it might be possible that someone has written an Apache module
> that does this, but I don't know what it might be called, or how that
> might interact with PHP.
> 
> Jeremy
> 
> On Wed, 15 Dec 2004, David McDowell wrote:
> 
> > I'm hoping I'm going to bump into someone who has done this, but so
> > far, I seem to be one of the only nutcases around here doing it.  :)
> >
> > Ok... here's the setup: LA(MSSQL)P on both FC1 and FC3 currently.  At
> > this time I'm just working with the FC1 system for this.  There is
> > supposedly such a thing called a "trusted connection" in Microsoft's
> > world.  Those of us who work with Microsoft products all know this is
> > more or less background authentication of sorts... sign in once, get
> > authenticated everywhere.  Easiest example is to say, sign into your
> > WinXP on a windows domain with AD, open Access Data Project as your
> > front end app to MSSQL which has domain user accounts listed with
> > certain roles and permissions defined in the database.  This means no
> > permissions tables for the app, but defined roles, in other words,
> > permission delegated by the database, not a permissions table and
> > coding.  In all the above steps just mentioned, you only signed in
> > once, but Access and MSSQL were able to authenticate you to do what
> > you are allowed to.
> >
> > Now, PHP with Apache on Linux isn't quite the same as PHP on that
> > Microsoft web whatever unmentionable.  :)  I have mod_auth_ldap setup
> > with Apache on Linux which authenticates users against the Microsoft
> > AD without any problems.  Now PHP has $_SERVER('PHP_AUTH_USER') and
> > $_SERVER('PHP_AUTH_PW') in which those values are defined after
> > someone logs into the website.  I have run across a couple things such
> > as mssql.secure_connection as something to be added to the php.ini
> > that I found on this page: http://us2.php.net/mssql --- However, I
> > fear this is only PHP on win32 platform.
> >
> > If you are still with me and haven't scoff at MSSQL yet (I have but I
> > have to use it), any ideas or suggestions from someone who might have
> > this experience would be helpful!
> >
> > thanks,
> > David McD
> >
> 
> --
> /---------------------------------------------------------------------\
> | Jeremy Portzer        jeremyp at pobox.com      trilug.org/~jeremy     |
> | GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
> \---------------------------------------------------------------------/
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list