[英]Validate AD group membership with php and LDAP
I am able to bind to AD server, but I am having trouble understanding how to validate membership in a specific group. 我可以绑定到AD服务器,但是在理解如何验证特定组中的成员身份时遇到了麻烦。 What I want to do is check to see if the user is part of the group "DOMAIN\\IT" and if so assign a session variable that I can later use.
我要做的是检查用户是否属于“ DOMAIN \\ IT”组,如果是,则分配一个会话变量,以便以后使用。 Here is what I have so far:
这是我到目前为止的内容:
if (isset($_POST["submit"])){
$ldaprdn = "DOMAIN\\" . $_POST["username"]; // ldap rdn or dn
$ldappass = $_POST["password"]; // associated password
} else {
$ldaprdn = "noUserName"; // ldap rdn or dn
$ldappass = "noPassWord"; // associated password
}
//check login form post submission and blank values
if (isset($_POST["submit"])){
if ($_SESSION["blanklogin"] !== "1"){
// connect to ldap server
$ldapconn = ldap_connect("DC01.ROOT.DOMAIN.ORG")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
$_SESSION["login"] = "1";
TODO: CHECK GROUP MEMBERSHIP - IF IN GROUP DOMAIN\IT then set session variable.
session_regenerate_id( true );
echo "LDAP Bind For "; echo $ldaprdn; echo " successful...";
echo "Login Successful";
header("Location: index.php");
} else {
echo "LDAP bind for "; echo $ldaprdn; echo " Failed...<br />";
$_SESSION["login"] = "0";
}
$_SESSION["blanklogin"] = "0";
ldap_unbind( $ldapconn );
}
} else {
echo "Username & Password Required<br />";
}
}
The following code is taken from one of my projects and returns a list of group names the user is a member of, including recursion. 以下代码来自我的一个项目,并返回用户所属的组名列表,包括递归。 You should be able to use that to check for what you want:
您应该可以使用它来检查所需的内容:
$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
// Do something to handle connection failure here, this is just what I did.
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException();
$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword);
// Do something to handle binding failure here, this is just what I did.
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException();
$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn"));
// Do something to handle query failure here, this is just what I did.
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection));
$groups = ldap_get_entries($ldapConnection, $result);
$groupNames = array();
for ($i = 0; $i < $groups['count']; $i++)
{
$groupNames[] = $groups[$i]['samaccountname'][0];
}
return $groupNames;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.