This is a beginner (newbie) example of using Grouper to restrict webpage access with php and ldap.
There is a small website of an index page, which has links to subpages. Certain sections should only be seen by certain populations of the institution; either the part of the index page, or the underlying deep linked webpage.
Here is a blurred version of the index page, and a description of who has access to what:
Note: the site is written in PHP
There are three levels of access. Using permissions might be better, but since the site is PHP, and we only have groups and memberships in LDAP at Penn (not permissions), and we already have example code of PHP->LDAP, then we will just use group memberships to represent that access.
- Create a new folder for the application: site:apps:secureWebApp
- Create the adhoc group: site:apps:secureWebApp:adHocGroup (allow the client to edit the memberships (READ and UPDATE privileges), and give them the deep link URL to the lite membership UI:
- Create the three groups for the access levels, and add members of the other groups in Grouper that can be reused. Note, we add three new groups here to loosely couple and make things for flexible later on down the line:
- site:apps:secureWebApp:facultyStaffStudents (add as member) site:community:facultyStaffStudents
- site:apps:secureWebApp:facultyStaff (add as member) site:community:facultyStaff
- site:apps:secureWebApp:orgAndAdHoc (add as members) site:community:employees:orgs:dept:whatever:org123 AND site:apps:secureWebApp:adHocGroup
- Our institution does WS authentication with kerberos principals and HTTP basic auth
- Create the kerberos principal: secureWebApp_grouper/sever.site.edu
- Add that kerberos principal to the kerberos subject table so it can be referenced as a subject from Grouper
- Grant that kerberos principal access to LDAP (by adding to group: site:etc:ldapUsers), and grant READ to the three security groups: site:apps:secureWebApp:facultyStaffStudents, site:apps:secureWebApp:facultyStaff, site:apps:secureWebApp:orgAndAdHoc. At our institution, our LDAP is secure, so that allows that Kerberos principal to READ the memberships in LDAP
We need to check which of the groups the user is in. We do not want to check this often, so we will store in PHP session, and if it is there, use it, if not, create it. Have an include for each secure page:
grouper.php has the ldapGroupHasMember method:
grouperPass.php has the password for the kerberos principal...
Now, in each php page, we can include the grouperSession page near the top where an HTML comment is ok:
For the subpages, we can see if the user is in the right group, depending on the page, or else see an error message. Note: the only reason someone would get the error is if an authorized user sent them a deep link (unless it is linked incorrectly)
For the index page, get all the sections, add them to an array if the user is allowed, and display them without empty slots. Note, give a message if the user is not allowed to see any: