> -----Original Message----- > From: Bob McConnell [mailto:r...@cbord.com] > Sent: Wednesday, December 01, 2010 5:23 AM > To: Chris Knipe; php-general@lists.php.net > Subject: RE: [PHP] LDAP, Active Directory, and permissions > > From: Chris Knipe > > > I've found various sources and are successfully manipulating Active > > Directory from PHP on our Domain Controller - frankly, things works > much > > better than I expected :) > > > > I have now reached the point where I need to set permissions on > objects in > > Active Directory, i.e. to restrict read permissions to certain OUs and > > objects within the directory (mainly related to Exchange stuff). > > > > Is there anything in PHP which can be used to set permissions on AD > > objects? I haven't found any reference to doing this anywhere, so I > thought > > I'd give it a chance here... If not, then I suppose I'll have to code > some > > ..NET application to act as a gateway between the PHP interface and > Active > > Directory, but naturally I would like to do as much as possible from > within > > PHP itself. > > I don't know about your IT group, but around here and at any of our clients, > they will never allow anyone outside their office modify access rights, or > add users. It takes a written request by a manager or above to get them to > make any changes, and each request must include the reasons for the > change. > > No we cannot use the master LDAP server for testing. We have a couple of > OpenLDAP servers isolated on our test networks for that. But even those > have to be managed directly. No application is allowed to do more than > retrieve data. > > Bob McConnell >
It's the same with my past work environments. All changes (except password) must be requested prior and is recorded. It seems that Chris' environment is too wide open and easily hackable. Chris, just an FYI, the majority of the hacks are done from the inside of the network. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
