Authorization via LDAP

Once a user has been authenticated using PubCookie, your service may need to figure out what level of access they should be granted. This information is provided via the LDAP server, UTORable. Your service will connect to this LDAP server, query it for information about a particular person, and receive back a number of flags indicating the roles that the person assumes at the university. You can then use these flags to determine the level of access/privileges they should be granted.

The first step in gaining access to UTORauth resources is to contact Russell Sutherland. Once it has been decided that your service is authorized by the appropriate parties on campus, you will be assigned a username and password pair. This, along with the IP address of the machine that will be accessing UTORable is our method of authenticating your service.

Assuming that this is a web-based application that you are developing, you will be using some sort of scripting language to provide your users with dynamic content. Directions on how to get started with either PHP or Perl are given below.




LDAP via PHP LDAP via Perl Testing LDAP from Windows


PHP

Requirements

You will need to get and compile LDAP client libraries from either the University of Michigan ldap-3.3 package, Netscape Directory SDK 3.0 or OpenLDAP to compile PHP with LDAP support.

Installation

LDAP support in PHP is not enabled by default. You will need to use the --with-ldap[=DIR] configuration option when compiling PHP to enable LDAP support. DIR is the LDAP base install directory. To enable SASL support, be sure --with-ldap-sasl[=DIR] is used, and that sasl.h exists on the system.

Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy libsasl.dll, for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.

Runtime

If you would like, you can use the simple class LDAP.php that contains the basic functionality to connect and query UTORable. If you choose to use this module, you will have to alter the lines that set the username and password:

  LDAP.php  

    $this->ldap_user = "cn=<your_username>,ou=users," . $ldap_base;
    $this->ldap_pass = "<your_password>";

A simple example of how you would use this class. This example simply connects to UTORable and decides to allow access on the basis of the isstudent flag:

  sample_query.php  

    # create a new LDAP object that will be used to query
    # UTORable for an UTORid.
    # 
    $ldap = new LDAP('utorid');

    # connect to the LDAP server, using your supplied
    # username and password.
    # 
    $ldap->connect();

    # fetch any data that exists for UTORid 'leeterry'.
    # 
    $ldap->fetch('leeterry');

    # see if there was an attribute 'isstudent' returned
    # that is set to be TRUE
    # 
    if ( $ldap->att('isstudent') ) {
        allow_access();
    }
    else {
        disallow_access();
    }




Perl

Requirements

You will need to have the Net::LDAP module installed to get LDAP working under perl. This can be installed fairly simply with the CPAN tool.

Runtime

A simple example how you would connect to UTORable and decide to allow access on the basis of the isstudent flag:

  sample_query.pl  

    # some configuration variables
    # 
    $ldap_host = "able.utoronto.ca";
    $ldap_base = "dc=able,dc=utoronto,dc=ca";
    $ldap_user = "cn=<your username>,ou=users," . $ldap_base;
    $ldap_pass = "<your password>";

    # create the new connection and bind to the LDAP server
    # 
    $ldap = Net::LDAP->new($ldap_host) or die "$@";
    $mesg = $ldap->bind($ldap_user, password => $ldap_pass);

    # the query
    # 
    $mesg = $ldap->search(
                          base => $ldap_base,
                          filter => "utorid=$utorid"
                         );

    # the foreach is a bit unneccesary here as there
    # will only be one result.
    # 
    foreach $entry ($mesg->entries) {
        if ( $entry->get_value('isstudent') eq 'TRUE' ) {
            allow_access();
        }
        else {
            disallow_access();
        }
    }




Testing LDAP from Windows

If you are running Windows, and would just like to test your filter strings and username/password, you can use an LDAP browser such as the Softerra ® LDAP Browser.
last updated 2006/06/26 15:56:51: v. 1.3