LDAP Authentication RPI Tutorial (Part 2)

Last time I spoke of how to setup ldap with PHP and briefly touched on using the “ldapsearch” command. I would like to go more in-depth on “ldapsearch”, and show you how you can use it to craft searches for your PHP application. Specifically for RPI, if the user has a RCS account, they can ssh into “rcs-ibm.rpi.edu” and run the following commands. (RCS-IBM puts you on either clark.server.rpi.edu or lewis.server.rpi.edu, these two have the commands you need on them and run AIX) To briefly review the command:

  • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
  • ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘uid=berk*’”

The main part of the search we will be editing is the ending. Here we specify a filter to find the information we are attempting to access. Each LDAP server has different attributes it can give about each object. For example, the ldap.rpi.edu server gives out “givenName, objectClass, cn(full concatenated name, or common name), sn (surname), loginShell,” and many others; while at the same time “ldap1.server.rpi.edu” returns a much different lists of results.

Finding Which Attributes Will be Returned

The best way to find which fields are available is by doing a search without a filter. Just running the search below will return an unfiltered list of everything in the directory, up till you hit the individual servers limit. I am purposefully not publishing results from these searches for privacy reasons; here is some results for me with some data omitted.

  • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’”
  • # berkod2, accounts, rpi, edu
    dn: uid=berkod2,ou=accounts,dc=rpi,dc=edu
    sn: Berkowitz
    cn: Berkowitz, Daniel
    objectClass: top
    objectClass: posixAccount
    objectClass: inetOrgPerson
    objectClass: eduPerson
    objectClass: rpiDirent
    objectClass: mailRecipient
    objectClass: organizationalPerson
    objectClass: person
    uid: berkod2
    loginShell: /bin/bash
    uidNumber: #####
    mailAlternateAddress: berkod2@rpi.edu
    givenName: Daniel
    gecos: Daniel  Berkowitz
    rpiclusterhomedir: /home/berkod2
    description: PRIMARY-STU
    homeDirectory: /home/06/berkod2
    gidNumber: ###

Now that we have an idea about the data structure and what this server has on it we can reverse the lookup and tweak it. I know ‘uid’ will be the username, and I can get the users name from that! So using CAS I can log a user in and get their username, then I can lookup there LDAP information. (EXAMPLE 1) If a user enters a name, then a user can search for their UID doing the reverse. (EXAMPLE 2) The wild card can also be used if the full name is not known. (EXAMPLE 3) Last we can use multiple fields, combining these ideas to narrow down the result. (Example 4)

  • Example 1
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘uid=berkod2’”
  • Example 2
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berkowitz’”
  • Example 3
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berko*’”
  • Example 4
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berko*’ ‘uid=berkod*'”

LDAP Authentication RPI Tutorial (Part 1)

After writing about how to use CAS with PHP, I thought I would write a post about how to use LDAP(Lightweight Directory Access Protocol) at RPI but these methods can be used anywhere. LDAP is a protocol to query user databases, this is a protocol that can be sed along with Active Directory, or another directory system for computers and user accounts. This protocol is widely used to allow different applications to interact with your user database. Here I will be showing how to implement search with LDAP to a web application. This guide will be using LDAP with PHP, this requires the LDAP module to be enabled within PHP; that will be the purpose of this article, then the next one will discuss how to actually query LDAP.

LDAP Linux (Debian/Ubuntu) Install

Linux is easy to get LDAP working with PHP, as long as you have a standard installation of Apache, with PHP 5 working.

  1. Install the LDAP module onto the machine, using either aptitude or apt-get
    • “sudo aptitude install php5-ldap”
    • OR “sudo apt-get install php5-ldap”
  2. PHP should now be able to use LDAP, if it is not working yet, you will need to restart Apache.
    • “sudo service apache2 restart”

LDAP Windows (XAMPP) Install

Xampp for Windows comes with LDAP, but there is a bug in their implementation and a file needs to be copied before LDAP will work. I am going to use “C:\xampp”, the default directory for Xampp in this example.

  1. Go into the PHP folder, C:\xampp\php\
  2. Edit the file “php.ini” with any text editor
  3. Find the line “;extension=php_ldap.dll”, and remove the semi-colon. “extension=php_ldap.dll”
  4. Now if you were to reboot Apache it should be working, but its not! Why not? There is a missing DLL. You need to
    copy libsasl.dll from c:\xampp\php\libsasl.dll to C:\xampp\apache\bin\.
  5. Now restart Apache

LDAP Search

Now that PHP can search LDAP we are going to want to start creating queries in PHP; but it is much easier to tweak the search in the command line, and then put that query into PHP. The following are steps that can be taken on a Linux computer (again Ubuntu/Debian) to install and use a ldap command line search.

  1. First we need to install the OpenLDAP utilities that will give us the “ldapsearch” command
    • “sudo aptitude install openldap-utils”
    • OR “sudo apt-get install openldap-utils”
  2. Now we are making our query
    • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
    • ldapsearch -h “ldap.rpi.edu” -x -b “dc=rpi, dc=edu” “uid=berk*”
    • Now this gives one result, and this can be used to see what data will be returned from this server. You can also try “ldap1.server.rpi.edu” this returns a entirely different list of variables, and sometimes more users.
    • If you are interested in researching this command more, die.net has a great resource. http://linux.die.net/man/1/ldapsearch
    • Troubleshooting: For those of you here at RPI trying to follow this guide specifically, if you do not get any results or a error connecting, RPI firewalls the LDAP servers heavily. I have found a lot of the time I have to be in the VCC to make this work, you can also VPN in, then your network connection is within the VCC and it will work. I have VPNed in, while on campus in the Union to get LDAP to work.

UPDATE: I added a little about what LDAP is

RPI phpCAS Authentication Tutorial

After much tinkering with RPI’s CAS (Central Authentication System) in PHP, I thought I would put together a guide to make it easy for anyone to put together a site that uses it. This would work for anyone at another location with a CAS server, but this example is for RPI.

  1. Get the CAS Library
  2. Download the tar file under “Current Version”
  3. Extract the contents, using a program such as 7-Zip, and put it in the root of whatever web folder you want
  4. Download the latest CA bundle for SSL
  5. Create a index.php, login.php, logout.php
  6. The index has to load the library, check if the user is logged in, then print out text.
    • <?PHP

      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (phpCAS::isAuthenticated())
      echo “User:” . phpCAS::getUser();
      echo “<a href=’./logout.php’>Logout</a>”;
      echo “<a href=’./login.php’>Login</a>”;



    • First we load the library for CAS from the subfolder
    • Then we select which will be our central server
    • We have to select our ca bundle, setCasServerCert does this
    • Now we have fully loaded and configured the library
    • Finally, I can ask CAS if a user has logged in, if so writeout some options, if not others
  7. This is the login page
    • <?PHP

      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (!phpCAS::isAuthenticated())
      header(‘location: ./index.php’);



    • Similar setup of authentication as before
    • Now we check if the user is NOT authenticated, if the user is not authenticated we force login
    • If the user already is logged in, then we redirect to the index
  8. The logout page:
    • <?PHP

      // SSL!
      phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

      if (phpCAS::isAuthenticated())
      header(‘location: ./index.php’);



    • Same configuration (this can be done by including a core file that everything else calls, but for this example I wanted to keep it simple)
    • If they are not logged in, then we push the user back to login

That is the basic configuration, the example is available for download below. If there are any questions feel free to post a comment.

Download: https://github.com/daberkow/daberkow.github.io/blob/master/CASExample.zip

Extra Notes:

  • If you want to save server space, the docs folder under the CAS folder can be removed
  • I have ran into problems with CAS on a Windows Apache server, and CAS on a Linux Apache server reference the CACert.pem file differently

Time Tracker

Recently I have been working on an hour keeping system for my work at RPI; we have an old time card system that is running on a Windows 2000 server. The code no longer works, as in the JavaScript is not supported by modern browsers. The old system has been running for over 11 years, and it is time to let it retire.

The new system is at version 0.1 right now, with basic functionality working. The system is split into groups, so while one server runs separate departments can run a “group” and have their employees under there. Once a user is given privileges to one group in the system, when that user logins in, that group will automatically come up.

The old system had a html page that managers could edit, to give announcements to workers. This was a bit of a tedious process to go in and manually edit these pages, now there is a field for the manager of each group to drop html to edit their page. The system has two levels of accounts and privileges, there is the privilege within a group, and the privilege for the entire system. While a user can be administrator of a group and edit their group, they may not have administrative rights over the entire server. By having administrative rights to the entire server, a user can change the splash page before a user is logged on, or create new groups in the system.

The system allows for templates to be made of weeks, so if a student worker works the same hours every week, then they can save it and deploy it easily. I am working on integrating email reminders by using a .Net application that integrates with MySQL. By having the application read who has yet to enter logs this pay period  I can use the students CAS login to get their email.

Below are some photos of the system, and it is all open source at the attached link.

Source: https://github.com/daberkow/RPI_timetracker

Friend Blogs & IT Jobs


Two friends of mine at Rensselaer Polytechnic Institute (RPI) have blogs as well, one is about college food, http://collegefoodie.com/; the other, is for Wine and related foods, http://quintessenceofmediocrity.blogspot.com/. The college food blog run by a contributor for this blog, Kevin Ung, @kevinung.


Now that it is senior year of college for me, the job hunt has started. This year there was a good turn out for the Information Technology (and Web Science) program at the RPI career fair. There seems to be two types of companies at the career fair for IT, some know they want IT and what that entails; the other are companies that want Comp Sci but say they want IT. The latter, in their interviews tends to ask questions such as algorithms.

Many companies have rotation programs for IT students, these are designed to start with a generic student and train them in the organizations method and technologies. These programs tend to be 2-4 years, with 6-12 month rotations; ranging from databases to networking. Most of these programs also focus on creating managers out of these students, going back and forth between technology classes as well as management skills.

To any new IT students, I would recommend knowing what path you want to go down early on, do you want to be closer to general (broad) IT, or focus on the computer science components