Authentication in Active Directory through LDAP on Perl, php and python "with their hands" ... :)
It's my first article in English :)
I think that not only I, at times, solving the problem, seen, that all found decisions of this problem, do not such, how me need :) In this situation i see three ways: spit and forget, try to improve found solution or do it yourself ;)
In 2005, I was a system administrator with job experience, and with the programming inclinations. I had a task to configure user authentication of "squid-proxy server" in Active Directory. In general, i not found nothing better than enter samba to AD domain and authenticate users over my perl script via WinBind. This solution has worked without any problems for several years. My proxy server was configured to FreeBSD. SoftWare update on FreeBSD in 2005-2008, it was even worse than it is now... Update only through portupgrade, remove and rebuild all software and dependencies from source code - it's just a great nightmare! Errors in rebuilding of libraries, and a big chance to break the whole system forever. In general, easier to update the kernel and world for fixing security issues, and reinstall the system every 5 years. Of course software in FreeBSD Ports originally much fresher than any Linux, but software grow old, and samba with winbind including. One day there came a moment when the old winbind could not enter to domain controller running Windows 2008, and then I realized that from the samba with winbind have to go away... :)
I searching for a best way, than samba, and I found the way to authenticate in Active Directory via LDAP ... Yeah, it is just, cross-platform, programming on any language. Example I found here is: php.net ref.ldap.php almost what I need, but "another language, not Perl";) As a result, I modified the PHP code, i improved check group membership function, plus I have built protection from infinite loop if the group included into each other "in a circle". And rewrote on languages: perl and python, and recently on the GoLang... :)
Scripts consist of three functions:
- Connect to LDAP server with the username and password of the user log. If the connection failed - Error. If success - check for need of checking group membership. If checking to need - go to step (2), if not - return the success.
- Search the DN for the user and for the group.
- Checking for membership of the user in the group. If there is - "Success", and if not - "excuse me" :)
This is not the library, this is code examples. May be someone they can help ;)
A note about the code on GoLang in the next time :)
It's my first article in English :)
No comments:
Post a Comment