How to access iChain OLAC parameters passed in the HTTP header using PHP.

(Last modified: 23Nov2004)

This document (10095583) is provided subject to the disclaimer at the end of this document.

goal

How to access iChain OLAC parameters passed in the HTTP header using PHP.

fact

iChain 2.2

iChain 2.3

PHP

Object Level Access Control (OLAC)

fix

iChain has the ability to pass supplemental user information to the back end web or application server.  This feature is called Object Level Access Control (OLAC).  This document will provide some examples of how information can be passed in the HTTP header, and how that information can be accessed via PHP.  (For complete details regarding OLAC, please consult the iChain documentation.)

PHP makes information from the HTTP header available in a variety of ways, depending on server configuration and platform.  The following examples assume that Apache is the web server and PHP 4.3.0 or higher is being used.  Older versions of PHP may have different methods or functions to obtain the required information.  Please consult the PHP documentation online at http://php.net/ for the most current information.

The following informaion will be used for the examples:

User Information:
Name: John Doe
DN: CN=johndoe,OU=users,O=org
Username: johndoe
Password: mypassword
Title: mytitle

The first thing to do is make sure that iChain is configured properly.  Following is a sample configuration to be used in these examples.  Individual configurations may vary.

iChain Server Configuration:

  1. LDAP Profile
    1. Profile Name: myldap
    2. Type: LDAP Authentication
    3. LDAP Login Method: Build distinguished name
    4. LDAP context list: ou=users,o=org
    5. Naming attribute: cn
  2. Web Server Accelerator
    1. Accelerator Name: myws
    2. DNS Name: www.mywebsite.com
    3. Cookie Domain: mywebsite.com
    4. Forward host name sent by browser to the web server
    5. Enable authentication
    6. Authentication options
      • Forward authentication information to web server
      • Service profiles: myldap
  3. Access Control
    1. Enable Object Level Access Control (OLAC)

ISO Object Configuration:

  1. Protected Resource
    1. Resource Name: MyWebSite
    2. URL Prefix: www.mywebsite.com/*
    3. Access: Restricted
    4. OLAC Parameters:
      1. Pass Parameters In: HTTP Header
      2. Username
        • Name: Username
        • Data Source: LDAP
        • Value: cn
      3. Title
        • Name: Title
        • Data Source: LDAP
        • Value: title

With the above configuration, the following pieces of information will be in the HTTP header for all requests sent from the iChain box to the origin server:

  • Authorization: Basic Y249am9obmRvZSxvdT11c2VycyxvPW9yZzpteXBhc3N3b3Jk
    • The above string is Base64 encoded.  The decoded value is:
      cn=johndoe,ou=users,o=org:mypassword
  • X-Username: johndoe
  • X-Title: mytitle

When the PHP script receives the HTTP request with the above header information, PHP creates and makes available the following global variable/vaule pairs:

  • _SERVER["PHP_AUTH_USER"]
    • cn=johndoe,ou=users,o=org
  • _SERVER["PHP_AUTH_PW"]
    • mypassword
  • _SERVER["HTTP_X_USERNAME"]
    • johndoe
  • _SERVER["HTTP_X_TITLE"]
    • mytitle
  • HTTP_X_USERNAME
    • johndoe
  • HTTP_X_TITLE
    • mytitle

These global variables may be used as any other variable for evaluation or assignment.  For example, the following script would print the value of each of these variables:

<?php
        echo "$_SERVER[PHP_AUTH_USER] <br />";
        echo "$_SERVER[PHP_AUTH_PW] <br />";
        echo "$_SERVER[HTTP_X_USERNAME] <br />";
        echo "$_SERVER[HTTP_X_TITLE] <br />";
        echo "$HTTP_X_USERNAME <br />";
        echo "$HTTP_X_TITLE <br />";
?>

Additionally, it is possible to create a variable containing an array of all the raw Apache headers.  For example:

  • $headers = apache_request_headers();

This new $headers variable will have the following pertinent values:

  • headers["Authorization"]
    • Basic Y249am9obmRvZSxvdT11c2VycyxvPW9yZzpteXBhc3N3b3Jk
  • headers["X-Username"]
    • johndoe
  • headers["X-Title"]
    • mytitle

The above mentioned _SERVER["PHP_AUTH_USER"] and _SERVER["PHP_AUTH_PW"] variables represent the same data as the $headers["Authorization"] value created above, with the exception that the data has already been decoded.

The following script would create this $headers variable, then print out each of the header elements individually.  It will also assign two new variables $username and $title, then print the values of both $username and $title.

<?php
        $headers = apache_request_headers();

        foreach ($headers as $header => $value) {
           echo "$header: $value <br />\n";
        }
        echo "End of headers<p>";

        $username = $headers["X-Username"];
        $title = $headers["X-Title"];

        echo "<p>";
        echo "username is $username <br />";
        echo "title is $title <br />";
?>

.

note

If no additional information is required other than username and password, simply use the _SERVER["PHP_AUTH_USER"] and _SERVER["PHP_AUTH_PW"] variables which are sent in the HTTP Authorization header.  Remove all other OLAC parameters from the Protected Resource to prevent them from being passed in the HTTP header.

As previously noted, the default configuration of iChain sends the user's full DN for the username.  If only the CN value is required ("johndoe" in the examples above), it is possible to configure iChain to reflect this attribute instead of the DN using the special ICHAIN_UID OLAC parameter.  To modify this behavior, use the following configuration:

ISO Object Configuration:

  1. Protected Resource
    1. Resource Name: MyWebSite
    2. URL Prefix: www.mywebsite.com/*
    3. Access: Restricted
    4. OLAC Parameters:
      1. Pass Parameters In: HTTP Header
      2. ICHAIN_UID
        • Name: ICHAIN_UID
        • Data Source: LDAP
        • Value: cn

The resultant HTTP Authorization header value would be:

  • Authorization: Basic am9obmRvZTpteXBhc3N3b3Jk
    • This vaule decodes to:
      johndoe:mypassword

And the corresponding PHP variables would be:

  • _SERVER["PHP_AUTH_USER"]
    • johndoe
  • _SERVER["PHP_AUTH_PW"]
    • mypassword

For additional troubleshooting purposes, it is possible to create a simple script which will display all available PHP information.

<?php
        phpinfo();
?>

More information can be obtained about the use of this function by visiting the following URL:  http://php.net/phpinfo

Complete documentation on PHP is available at the PHP website:  http://php.net/

document

Document Title: How to access iChain OLAC parameters passed in the HTTP header using PHP.
Document ID: 10095583
Solution ID: NOVL99914
Creation Date: 23Nov2004
Modified Date: 23Nov2004
Novell Product Class:iChain

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.