PHP : Microsoft Office 365 and Active Directory

Disclaimer: I am not the biggest fan of Microsoft.  On the contrary.  I keep running into situations, where Microsoft technologies are a constant source of pain.  If that annoys you, please stop reading this post now and go away.  I don’t care.  You’ve been warned.

A few recent projects that I’ve been working on in the office required integration with Microsoft Office 365.  Office 365 is a new kid on the block as far as I am concerned, so I had no experience of integrating with these services.

The first look at what needs to be done resulted in a heavy drinking session and a mild depression.  Here are a few links to get you started on that path, if you are interested:

We’ve discussed the options with the client and decided to go a different route – limit the integration to the single sign-on (SSO) only, and use their Active Directory server (I’m not sure about the exact setup on the client side, but I think they use Active Directory Federation Services to have a local server in the office synchronized with the Office 365 directory).

Exposing the Active Directory server to the entire Internet is not the smartest idea, so we had to wrap this all into a virtual private network (VPN).  You can read my blog post on how to setup the CentOS 7 server as an automated VPN client.

Once the Active Directory was established, PHP LDAP module was very useful for avoiding any low-level programming (sockets and such).  With a bit of Google searching and StackOverflow reading, we managed to figure out the magic combination of parameters for ldap_connect(), ldap_set_option(), and ldap_search().

It took longer than expected, but some of it was due to the non-standard configuration and permissions on the client side.  Anyways, it worked, which were the good news.

The client accepted the implementation and we could just close the chapter, have another drink, and forget about this nightmare.  But something was bothering me about it, so I was thinking the heavy thoughts at the back of my mind.

The things that bother me about this implementation are the following:

  • Although it works, it’s a rather raw implementation, with very limited flexibility (filters, multiple servers, etc).
  • The code is difficult to test, due to the specifics of the AD setup and the network access limitations.
  • There is a lack of elegance to the solution.  Working code is good, but I like things to be beautiful too.  As much as possible at least.

So, I was keeping an eye open and I think today I came across a couple of links that can help make things better:

  1. adLDAP PHP library, which provides LDAP authentication and integration with Active Directory.  I don’t know how I missed it so far, but I think now things will be much easier and cleaner.
  2. Search Filter Syntax documentation on MSDN.
  3. This Reddit thread.  Yes, a lot of the things I’ve learned today are linked from it.  But it’ll be much easier for me to find all this information in my own blog, next time I’ll have to deal with Microsoft again.
  4. Public-facing LDAP server thanks to Georgia Institute of Technology, for testing connection and simple queries.

Armed with this new knowledge, I’m sure the current working solution can be improved a lot – simplified with fewer lines of code, based on the much more robust and tested code base, and given a basic test script to make sure the code works somewhere else, outside of a particular client’s setup.

I wish I came across that all much earlier.

 

Office 365 Lync Online SRV DNS records on Amazon Route 53

One of the very few things we still rely on from Microsoft at work is Office 365.  Not because it is so great, but because I simply didn’t have the time to move away yet (quiet Christmas season is coming soon).  Most people don’t get exposed much to it anyway, using Evolution or Thunderbird email clients, or forwarding everything to Gmail altogether.  But as an administrator of the service I get constantly annoyed by the “there are problems with your domain” notification.  After ignoring it for about a year, I decided to finally fix it.  All that was needed is a couple of records in the DNS zone.

Unfortunately, the instructions Microsoft provides don’t quite well apply to Amazon Route 53 user interface.  It took me a few tries and some searching to find the right ones.  Here they are, thanks to a comment on this page:

First record:

1. Log into Route 53.
2. in the hosted zones window, check the box next to YOURDOMAIN.com
3. click  [ > Go to Record Sets]
4. Click  [Create Record Set]
5. Enter  _sipfederationtls._tcp , in the Name field
6. Switch type to SRV – Service locator
7. In the Value window Enter: 100 1 5061 sipfed.online.lync.com
8. Click [Create]

Second record:

9. Click  [Create Record Set]
10. Enter: _sip._tls , in the name field
11. Switch type to SRV – Service locator
12. In the Value window Enter: 100 1 443 sipdir.online.lync.com
13. Click [Create]