Web Professionals

Carolina's Community of Digital Creators and Communicators

Updated: Onyen Authentication and Access Authorization

April 10, 2008 /

More often than not, we run into situations where we need to authenticate users against the UNC Onyen system. Whether it be a simple application used on an internal department network, or a very complex system that is publicly available. Onyen authentication solves the need to lock out the rest of the world but does not [easily] allow you to lock out everyone except a select number of individuals. There are ways to check if the user is part of a specific department or has a particular job function but that may be too broad for some applications.

Here is a simple script, written in PHP, that implements an Onyen authentication and backup access authorization system on your site. The script essentially allows access to the site as long as both requirements are satisfied.

These layers are:

  • Onyen Authentication:
    The user is presented with a simple HTTP-Authentication dialog asking for their username and password. The values inserted are then checked against the UNC’s LDAP server (the main Onyen directory) to see if the username/password combo is valid. If so, proceed to the second layer of authentication. If not, ask again.
  • Valid-User Authentication:
    Since the first layer handles verifying the credentials, we just want to check to ensure that this user is allowed to access our site. We have a table in a database (vague huh?) that just lists out Onyen IDs that are allowed to access the site. If the Onyen is in the list, let them see the site. If not, kick them out to the homepage/error screen
<?php

$ldapconfig['host'] = 'REMOVED FOR SECURITY REASONS';  // The hostname to UNC's LDAP server
$ldapconfig['port'] = NULL;  // Since UNC doesn't run their LDAP on non-standard ports, leave this alone
$ldapconfig['basedn'] = 'REMOVED FOR SECURITY REASONS';  // Base directory attributes needed to access LDAP server
$ldapconfig['authrealm'] = 'YOUR DEPARTMENT'S NAME';  // Whatever you want your "Realm" to be called
$ldapconfig['homepage'] = 'http://YOUR.ERROR.SITE';  // The site where the user is kicked to if login fails

function ldap_authenticate() {  // Function: prompt user to enter credentials, check against UNC LDAP server
    global $ldapconfig;
    global $PHP_AUTH_USER;
    global $PHP_AUTH_PW;

    if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
        $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
        $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' . $PHP_AUTH_USER);
        if ($r) {
            $result = @ldap_get_entries( $ds, $r);
            if ($result[0]) {
                if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
                    return $result[0];
                }
            }
        }
    }
    header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
    header('HTTP/1.0 401 Unauthorized');
    return NULL;
}

if (($result = ldap_authenticate()) == NULL) {  // If username / password combo is incorrect...
    echo('Authorization Failed');
    exit(0);
}

$uid = $result['uid'][0];  // The ONYEN

$dbhost = 'YOUR DB HOST';  // The hostname where your database is located
$dbuser = 'YOUR DB USER';  // The username to access your database
$dbpass = 'YOUR DB PASS';  // The password to access your database
$dbname = 'YOUR DB NAME';  // Assumes you have a table called 'validusers' which has a column called 'user'

$cxn = mysql_connect($dbhost,$dbuser,$dbpass);  // Make connection to database
$sel = mysql_select_db($dbname,$cxn);  // Select the database to use

$result = mysql_query("SELECT * FROM validusers WHERE user='".$uid."'");  // Check to see if the user is in the database
$count = mysql_num_rows($result);  // Count results to the query

mysql_close($cxn);  // Close the connection to the database

if ($count > '0') {
  // User has logged in successfully and passed both layers of authentication
} else {
  // User has not passed both layers of authentication so kick them to homepage
  header("Location: ".$ldapconfig['homepage']);
}
?>

Simply execute this code before any text is output to the screen on any page that you want secured and you should now have a working Onyen Authentication and Access Authorization system. If you have any questions, comments, or concerns, please leave me your comments and I will try to answer them in a timely manner.

UPDATE: After thinking about possible security issues, I have removed the LDAP hostname and base directory names from my code. If you need these, please contact me directly and I will send them to you.

UPDATE: Many thanks to Todd Lewis who pointed out a couple verbiage errors and also identified some limitations with the script.  Apparently, users that have enabled privacy flags with their LDAP accounts will not be able to log into this system.  If it becomes a regular issue, I will have to try and work out an alternative.

Accessibility, Ideas, Other Resources

1 Comment

  1. dfrey

    I wrote an object oriented solution to the Onyen authentication problem. I also wrote a LDAP lookup class that uses a privileged Onyen account to do lookups (to return results of students with private profiles).

    The authentication class is pretty straightforward in its implementation:


    $auth = new onyen_auth('onyen','password'); where 'onyen' and 'password' are the Onyen and Onyen password of the user to authenticate
    $auth->authenticate();
    $arr_attribute = $auth->get_ldap_attribute('attribute'); where 'attribute' is an ldap attribute
    $arr_error = $auth->__get('error'); creates an array of error messages if any exist

    Please let me know if this is something you or the community might be interested in and I’ll pass it along.

Meetups

The best way to stay informed of upcoming meetings and learn about topics important to your colleagues at UNC is by joining our Office 365 Team.

Learn More About…

© 2024 Web Professionals

Theme by Anders NorenUp ↑