SitePoint Sponsor

User Tag List

Results 1 to 2 of 2

Hybrid View

  1. #1
    SitePoint Member
    Join Date
    Feb 2013
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP with LDAP Authentication

    So I've been working on a portal that authenticates via LDAP and then forwards to a page and uses sessions for all of this. I've hacked together a lot of code I have found from all over the internet and have finally got it working... almost. I am a total newbie with php so if someone could help me with this I'd be grateful..

    The main issue is that it is using the display name in AD to check the inputed user name against (I think?). If I try to login with my example ad account, inv_bind, which has its display name also set to inv_bind, authentication works correctly. However if I change its display name at all, authentication fails. Same issue on any other account. If displayname matches the login name, everything works fine. The full code is near the bottom, but the next part is what I'm pretty sure is wrong. I just don't know how to fix it.

    Something in this is telling it to get the display name?

    The offending part:
    Code:
        if($bind = @ldap_bind($ldap, $user, $password)) {
            // valid
            // check presence in groups
            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
            ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
            $filter = "(samAccountName=" . $user . ")";
            $attr = array("memberof");
            $result = ldap_search($ldap, $LDAP_DN, $filter, $attr) or exit("Unable to search LDAP server");
            $entries = ldap_get_entries($ldap, $result);
            ldap_unbind($ldap);




    Full code:
    Code:
    error_reporting(0);
    function authenticate($user, $password) {
        // Active Directory server
        $ldap_host = "test.local";
     
        // Active Directory DN
        $LDAP_DN = 'OU=Users,OU=Computer Operations,OU=Departments,OU=Corporate,DC=test,DC=local';
     
        // Active Directory user group
        $ldap_user_group = "inv_read";
     
        // Active Directory manager group
        $ldap_manager_group = "inv_write";
    
         // connect to active directory
        $ldap = ldap_connect($ldap_host);
     
    
        // verify user and password
        if($bind = @ldap_bind($ldap, $user, $password)) {
            // valid
            // check presence in groups
            ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
            ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
            $filter = "(samAccountName=" . $user . ")";
            $attr = array("memberof");
            $result = ldap_search($ldap, $LDAP_DN, $filter, $attr) or exit("Unable to search LDAP server");
            $entries = ldap_get_entries($ldap, $result);
            ldap_unbind($ldap);
     
            // check groups
            foreach($entries[0]['memberof'] as $grps) {
                // is manager, break loop
                if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
     
                // is user
                if (strpos($grps, $ldap_user_group)) $access = 1;
            }
     
            if ($access != 0) {
                // establish session variables
                $_SESSION['user'] = $user;
                $_SESSION['access'] = $access;
                return true;
            } else {
                // user has no rights
                return false;
            }
     
        } else {
            // invalid name or password
            return false;
        }
    }

  2. #2
    SitePoint Member
    Join Date
    Feb 2013
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There must be some way to test this? I have the exchange shell cmd open. Is there anyway to run:

    $result = ldap_search($ldap, $LDAP_DN, $filter, $attr) or exit("Unable to search LDAP server");

    To see what its returning?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •