如何在PHP中实现基于LDAP组的授权？

Question

I am developing a simple site in PHP to enable some users to do some specific tasks. My goal is to achieve role based authorization for the users and they should see different pages according to their LDAP group membership. This is how I'm trying to implement it-

1) use php-ldap library functions to connect to the LDAP server
2) extract the dn of the group name and username by ldapsearch from the user base dn and group base dn
3) search for the "memberOf" attributes in the user entry and match them with the group dn. Return true if matched
4) Search for the "member" attributes in the group entry and match them with the user dn. Return true if matched.

So far I have tested this against an openldap server and it seems to be working, however I want the script to work against other directory servers like apacheds, active directory and 389ds. As I don't have access to multiple directory servers, I want some advise on whether these steps will work on other directory servers or not. Any help regarding this will be appreciated. Thanks in advance.

Answer 1

These steps will basically work on other LDAP-Servers. You will have to be able to change the attributes you are using though as ActiveDirectory for instance uses the attribute samAccountName where the default LDAP-Scheme uses uid

And ActiveDirectory does store the group membership in the user-node and not in the group node. So there have to be different approaches for retrieving the group membership.

Have a look at https://github.com/heiglandreas/kimai/blob/feature/fixLDAPAuthentication/core/libraries/Kimai/Auth/Ldapadvanced.php whih might contain some usefull snippets. It does not take into account the issue with group-membership being defined in the usernode!