Plexcel - PHP Active Directory Integration
Plexcel MediaWiki Plugin
This product has been discontinued.
Plexcel is an extension for PHP that provides proper integration with Microsoft Active Directory Server (ADS). It is specifically designed for building sophisticated CMS sites but it is no less useful for small projects. If your business uses Active Directory, why waste time trying to build separate user and group management functionality into your websites? Leverage your existing security infrastructure and personnel. Plexcel provides solid Windows integration without giving up the benefits of using Linux and FreeBSD. The following is a high level outline and description of Plexcel's features.
Fast Script-Level Windows Group Access ControlPlexcel has a plexcel_is_member_of function that can quickly determine if the user is in the named Windows group. Traditional Windows group names are supported (no LDAP DNs in config files). Plexcel properly handles nested groups. The already fully expanded list groups is extracted from the user's Kerberos ticket. Because AD performs the group expansion when the user logs in, you can be certain that access control behavior will be consistent with established Windows behavior. Perhaps most important, Plexcel's group based access control is fast and as a result it scales very well. Once the SID of a group name used in a script is cached, no further network communication is required to perform access checks with that name again (until the server is restarted). This permits chaining together access checks to create Access Control Lists (ACLs).
DelegationPlexcel supports credential delegation. By default Plexcel will use the client's credential to initiate authentication with Active Directory or the Global Catalog. An option is provided for other non-Plexcel functions that support Kerberos to use the client's credential as well.
Authentication with other TiersDelegation is only one way to acquire a credential for initiating authentication with other tiers. Plexcel provides two other methods. If a client is not authenticated at all, the HTTP service account credential will be used. The third method is to acquire a credential with a username and password (supplied from a configuration file or by the client).
Advanced LDAP APIPlexcel provides an LDAP API that has several advantages over the "raw" API provided by PHP. Some, but not all, of these features are described below.
Account NamesPlexcel functions that require an account name accept the full range of name forms:
Easy Binding StringsConsider the following PHP statement that creates a Plexcel context resource:
<?php $px = plexcel_new('ldap:///DefaultNamingContext', NULL); $objs = plexcel_search_objects($px, ...This example illustrates two unique features of Plexcel. First, no hostname was supplied. This indicates to Plexcel that an appropriate AD server should be located automatically. Second, the special DefaultNamingContext base is one of several alternative base identifiers. You can also specify an explicit base like DC=example,DC=com or an RFC 2255 style LDAP URL with a filter. Plexcel binding strings make writing directory code "as simple as possible but not simpler".
Automatic Attribute ConversionsActive Directory represents time attributes as either UTC time strings or as nanoseconds since 1601 values. Considerable work is required to manually convert these values into human readable dates or values that can be used in date logic. With automatic attribute conversions turned on, time values will be automatically normalized into milliseconds since 1970 values which are ideal for use within PHP.
Security FunctionsPlexcel provides all of the security functions necessary to write full featured account management tools. Plexcel can add, modify and delete users and groups, set passwords, change passwords, generate keytab files for UNIX services and much more.
Microsoft CompatibilityOur products interoperate very well with other vendors (e.g. Microsoft). We analyze network communication and adjust our code where necessary to match the observed behavior. This significantly limits the potential for protocol changes made by another vendor to break compatibility with our products without breaking compatibility between their own products.