I think I should probably chalk it down to one of those weeks and have done with it, nearly the weekend and all that (2 weeks til half-term, yay ). Yesterday I spent an afternoon going around in circles. Today I jumped some hoops and still ended back where I started. Tomorrow, who knows!

Perhaps I should start at the beginning. We run IIS at work, have done for sometime, the principal reason being we can authenticate users and keep them out of places on the intranet they shouldn't be a-wandering. Then I came along. Wrote some code. Good code. Snazzy code. Code with all the bells and whistles. It doesn't like IIS, or more specifically it doesn't like windows authentication. For no reason we could figure out (and believe me we tried). Even more frustrating was the fact that the errors were completely random. One minute the code would work and the right people had access, another it wouldn't but the kids could get to it. Much head scratching later we decided to stuff it, we'd go with apache.

So a virtual server was set up (yes I know there are better ways but sometimes you just have to go with what you're given), apache was installed. 2 hours of head scratching later and we have authentication working also. Except that single-sign-on on apache doesn't work quite the same way as on IIS, you can't query a folder to see if the user has permission before you serve up the code within. The problem being that this was how one piece of my code was working (incidentally a completely different piece of code to the one that was stuffing up before - that one was fixed [with a bit of creative thinking]). That was yesterdays circle. The conclusion: my code needed a rethink and a good nights sleep.

Today dawned and with it the bright idea of ldap. Being sheltered from many things networky until September last year I've never used ldap. It has always sounded intriguing but there has never been anywhere for me to play with it. I've got somewhere now. So today was spent learning how to put together ldap and php into something I could use. Success was mine, a class was written which would query the ad, find the user and check which groups they belong to. My other code was adapted to dictate which groups were allowed access to the different pieces of code and then the query from the ad matched up so I could give or deny access. Easy.

Then I hit a snag. There's a useful server variable used in php, $_SERVER['AUTH_USER'], which basically tells you the user autheticated to view the page you're on. This was the variable I was planning to use to get my user, to query the ad, to find the group, to check the permission, to access the code. This variable is an IIS only variable. Apache doesn't do it.

So the current state of affairs is that half my code works on the apache server, half of it works on the IIS server and none of it is any use to anybody. That will be tomorrow's challenge...