Plexcel - PHP Active Directory Integration
Plexcel is an extension for PHP that provides proper integration with Microsoft Active Directory Server (ADS). It is specifically designed for building sophisticated CMS sites but it is no less useful for small projects.
If your business uses Active Directory, why waste time trying to build separate user and group management functionality into your websites?
Leverage your existing security infrastructure and personnel.
Plexcel provides solid Windows integration without giving up the benefits of using Linux and FreeBSD.
The following is a high level outline and description of Plexcel's features.
Some of these features are described further below. For a complete description of all of Plexcel's features, download the Plexcel Developer's Guide from the Support page.
- Active Directory Single Sign-On (SSO)
- Scalable script-level Windows group based access control
- Explicit Logon with a username and password
- Full delegation support
- Authentication from web tier to other servers
- Add, modify and delete users, groups and group members
- Advanced LDAP API
- Access accounts with wide variety of names
- Easy binding strings w/o hostnames or base DNs
- RFC 2255 style LDAP URLs
- Create, modify and delete objects
- Attribute intelligence
- Automatic attribute conversions
- Password setting / changing
- Sophisticated directory location using DNS SRV lookups and Active Directory Sites & Services
- Easy installation - no setup on Windows side required
- I18N - All functions are fully internationalized
- Generate service keytab files
- Highly compatible with Microsoft products
- Libraries and plugins for popular PHP software
PDF; 2 Pages
Intranet web applications authenticate clients using primarily two methods - Single Sign-On (SSO) and/or an explicit logon form.
Plexcel supports true SPNEGO SSO (unlike some "SSO" solutions where you must login a second time through an intermediate site).
Plexcel can fall-back to a logon form if the client cannot perform SSO (e.g. they are not logged into the domain).
With SPNEGO, users cannot accidentally lock their accounts (the user's existing credentials are used to authenticate).
Fast Script-Level Windows Group Access Control
Plexcel has a plexcel_is_member_of function that can quickly determine if the user is in the named Windows group. Traditional Windows group names are supported (no LDAP DNs in config files).
Plexcel properly handles nested groups. The already fully expanded list groups is extracted from the user's Kerberos ticket. Because AD performs the group expansion when the user logs in, you can be certain that access control behavior will be consistent with established Windows behavior.
Perhaps most important, Plexcel's group based access control is fast and as a result it scales very well. Once the SID of a group name used in a script is cached, no further network communication is required to perform access checks with that name again (until the server is restarted). This permits chaining together access checks to create Access Control Lists (ACLs).
Plexcel supports credential delegation. By default Plexcel will use the client's credential to initiate authentication with Active Directory or the Global Catalog. An option is provided for other non-Plexcel functions that support Kerberos to use the client's credential as well.
Authentication with other Tiers
Delegation is only one way to acquire a credential for initiating authentication with other tiers. Plexcel provides two other methods. If a client is not authenticated at all, the HTTP service account credential will be used. The third method is to acquire a credential with a username and password (supplied from a configuration file or by the client).
Advanced LDAP API
Plexcel provides an LDAP API that has several advantages over the "raw" API provided by PHP. Some, but not all, of these features are described below.
Plexcel functions that require an account name accept the full range of name forms:
|Common Name (CN)||Hans Müller|
|SAM Account Name||hmuller|
|Qualified SAM Account Name||EXAMPLE\hmuller|
|User Principal Namefirstname.lastname@example.org|
|Distinguished Name (DN)||CN=Hans Müller,OU=Europe,DC=example,DC=com|
Easy Binding Strings
Consider the following PHP statement that creates a Plexcel context resource:
$px = plexcel_new('ldap:///DefaultNamingContext', NULL);
$objs = plexcel_search_objects($px, ...
This example illustrates two unique features of Plexcel. First, no hostname was supplied. This indicates to Plexcel that an appropriate AD server should be located automatically. Second, the special DefaultNamingContext base is one of several alternative base identifiers.
You can also specify an explicit base like DC=example,DC=com or an RFC 2255 style LDAP URL with a filter.
Plexcel binding strings make writing directory code "as simple as possible but not simpler".
Automatic Attribute Conversions
Active Directory represents time attributes as either UTC time strings or as nanoseconds since 1601 values. Considerable work is required to manually convert these values into human readable dates or values that can be used in date logic. With automatic attribute conversions turned on, time values will be automatically normalized into milliseconds since 1970 values which are ideal for use within PHP.
Plexcel provides all of the security functions necessary to write full featured account management tools. Plexcel can add, modify and delete users and groups, set passwords, change passwords, generate keytab files for UNIX services and much more.
Our products interoperate very well with other vendors (e.g. Microsoft). We analyze network communication and adjust our code where necessary to match the observed behavior. This significantly limits the potential for protocol changes made by another vendor to break compatibility with our products without breaking compatibility between their own products.