if(!$_SESSION['authok']) {
$ad = ldap_connect("ldap://ad.somewhere.com") or
die("<h1>Could Not connect to AD</h1>");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!empty($_POST['AUTH_USER']) && !empty($_POST['AUTH_PASS'])) {
if (ldap_bind($ad, $_POST['AUTH_USER']."@ad.somewhere.com",
$_POST['AUTH_PASS'])) {
$_SESSION['authok'] = 1;
// TODO: Enter PHP LDAP CALL to obtain MEMBER OF information and
// store in a HASH.
} else {
$welmsg = "Login Failed, Please try again";
$_SESSION['authok'] = "";
}
ldap_unbind($ad);
}
if (!$_SESSION['authok']) {
?>
<html>
Login and password form code goes here with action="<?php $PHP_SELF; ?>"
</html>
<?php
exit();
}
}
?>
This works, now I want to determine or obtain a list of groups that a person may be a member of and store that information in a session variable to help determine if a given user belongs to a given group that is allowed to view a given page. Anyone have some advice on what the best approach would be or a sample of code that will do this? I am dealing with users that will typically be a member of no fewer than 2 groups, I was thinking that some ldap call that would query the Member of list and store the results in a HASH. Also, if someone has a sample of the PHP ldap call and format that I would use to execute this that would be much appreciated.
Thanks!
This block of code is a rip from an intranet system I did a year or two ago. Although the code does things in a bit more detail than you asked for, you should be able to grab the info you need from it.
Essentially, it attempts to bind with the username and password supplied, ($ldap[‘username’] and $ldap[‘password’]) If that works, it searches AD for the username, and pulls back the $info array.
In the array should be $info[0][‘memberof’] which should be an array of the groups that the user is in.
$contexts = array("OU=USERS,DC=SOMECOMPANY,DC=CO,DC=UK","OU=USERS,OU=ANOTHEROU,OU=DOMAIN USERS,DC=SOMECOMPANY,DC=CO,DC=UK");
foreach($contexts as $thiscontext){
$ldap['context'] = $thiscontext;
$ldap['rdn'] = "CN=" . $ldap['user'] . "," . $ldap['context'];
if($connection = @ldap_connect($ldap['server'])){
$outline = "Connected to server. Attempting to validate username / password <br><br>";
if(@ldap_bind($connection,$ldap['rdn'],$ldap['password'])){
$outline = "Successfully authenticated user " . $ldap['user'];
$person = $ldap['user'];
$filter="(|(cn=*$person*)(givenname=*$person*)(mailname=*$person*)(name=*$person*))";
$justthese = array( "ou", "sn", "givenname", "mail");
$sr=ldap_search($connection, $ldap['rdn'], $filter);
$info = ldap_get_entries($connection, $sr);
$successcontext = $thiscontext;
}
}
if(isset($info)){
break;
}
}
if(isset($info)){
foreach($info[0]['memberof'] as $grps){
// Do what you want with the group names defined in $grps;
}
}
HTH
(I know there are some undefined constants, but I cannot post the full script for security reasons)
I have tested some code using the example given above. I am getting unexpected output. Any idea how to clean it up or explain to me why I see what I see.
<?php
$ad = ldap_connect("ldap://someldap.somewhere.com") or
die("<h1>Could Not connect to AD</h1>");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($ad) {
$bd = ldap_bind($ad, "user@someldap.somewhere.com","password") or
die("Could not bind to AD!");
} else {
die("<h1>No reason to go on</h1>");
}
$dn = "ou=dept,dc=someldap,dc=somehwere,dc=com";
$filter = "(samAccountName=user)";
$attrs = array("memberOf");
$result = ldap_search($ad, $dn, $filter, $attrs);
$entries = ldap_get_entries($ad, $result);
if(isset($entries)){
foreach($entries[0]['memberof'] as $grps){
echo "$grps<br>";
}
}
ldap_unbind($ad);
?>
My output displays as follows:
1
CN=GROUP-MEMBER,OU=Admins,OU=DEPT,DC=someldap,DC=somewhere,DC=com
Any ideas?
ELS