Developer Notes
Contents
- PHP Limitations
- Linking to Arcanum
- API Reference
- Links to Standards and Documents
PHP Limitations — What PHP does not help us with
This section describes the limitations of PHP.
- The additional information from an LDAP error message is not available. https://bugs.php.net/bug.php?id=47222
- No way to do extended operation, e.g. for password change. Will have to resort to an external solution (e.g. http://ff1959.wordpress.com/2011/11/12/ldap-password-modify-extended-request/ ) or workarounds.
- Paging in search is not available until PHP 5.4.0.
Linking to Arcanum
<base_url >[<startpage>][<arguments>]
- base_url = 'http://myaccount.example.org/arcanum/'
startpage:
- index.php (login page)
- myaccount.php (for editing account info)
- changepassword.php (for changing password)
arguments:
| service=<rawurlencoded service url> | Service URL for going back to web service | index,myaccount,changepassword |
| casauth=1 | Enable CAS authentication | myaccount |
| renew=true | When redirecting back to web service, carry the 'renew=true' argument to force reauthentication with CAS | index |
| expired=1 | A flag that enables a different text to be displayed instead of the usual intro ("Your password is expired or inactive and has to be changed") | index,changepassword |
| resetted=1 | A flag that enables a different text to be displayed instead of the usual intro ("Your current password can only be used in order to change the password") | index |
| token=<auth_token> | Enable token authentication (a token must be registered first via the API) | changepassword |
Examples
- service_url = https://service.example.org/path?arg1=foo1&arg2=foo2
redirecting, after successful login, to "fill in your details" page
http://myaccount.example.org/arcanum/myaccount.php?casauth=1&service=https%3A%2F%2Fservice.example.org%2Fpath%3Farg1%3Dfoo1%26arg2%3Dfoo2
redirecting when authentication failed with additional information 'passwordExpired'
http://myaccount.example.org/arcanum/index.php?expired=1&service=https%3A%2F%2Fservice.example.org%2Fpath%3Farg1%3Dfoo1%26arg2%3Dfoo2
redirecting after authentication aborts, with additional information 'passwordMustChange'
http://myaccount.example.org/arcanum/index.php?resetted=1&service=https%3A%2F%2Fservice.example.org%2Fpath%3Farg1%3Dfoo1%26arg2%3Dfoo2
API Reference — What you can do with RPC calls to Arcanum
Clear an account for immediate password change / reset
<APPLICATION_BASE_URL>/api.php?action=authorize_for_password_change&uid=<USERNAME>
Allowed from: IP addresses found in:
$config->login_servers $config->cas->host
Server will simply return a token. After you get this token, you will need to refer the user to go to:
<APPLICATION_BASE_URL>/changepassword.php?token=<TOKEN>
If there is an error, then the HTTP server status will be "405 Method Not Allowed" and the body of the HTML response will be the error string.
Perform SMS token authentication
<APPLICATION_BASE_URL>/api_sms.php?smsc=%2B30123456&phone=%2B3069399999999&text=Body
Allowed from: IP addresses found in:
$config->smsgw->ip_receive
Arguments:
- smsc: the number of the SMS message centre
- phone: the number of the mobile phone that originated the password reset request
- text: the body of the text message
Links to Standards and Documents
- draft-behera-ldap-password-policy-09 (implemented by OpenLDAP)
- draft-behera-ldap-password-policy-10 (latest)
- RFC 3062 - LDAP Password Modify Extended Operation
- RFC 5724: URI Scheme for Global System for Mobile Communications (GSM) Short Message Service (SMS) (for the QR code format)
- slapo-ppolicy(5) - man page for OpenLDAP's ppolicy implementation