stackoom
  简体   繁体   中英

Verifying user is part of ldap/active directory security group

 原文  2012-12-06 16:51:53       php/ active-directory/ ldap

Question

Ok... I've dug through the examples and etc on here and I'm still having issues. 

<?php
// SHOW ERRORS 0=NO 1=YES
ini_set('display_errors', '1');


//USER
$valid_session_username = $_POST["username"];
$valid_session_password = $_POST["password"];

//MEMBER OF THIS GROUP
$dn = "DC=FLRC,DC=local";
$group = "CN=Internet-Purchasing-Allowed,OU=Security Groups,DC=FLRC,DC=LOCAL";
$filter = "(&(objectClass=user)(memberOf=$group))";


$ad = ldap_connect("srv-flc-dc03") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ad, LDAP_OPT_REFERRALS,0);
$bd = ldap_bind( $ad, $valid_session_username."@flrc.local", $valid_session_password) or die("Can't bind to server.");
$sr = ldap_search($ad, $dn, $filter);


$found = false;

if ($sr !== false) {
    $count = ldap_count_entries ($ad, $sr);
    if ($count !== false && $count > 0) {
     $found = true;
    }
}

if ($found === true) {
    print $valid_session_username.' does have access to this page';
} else {
    print $valid_session_username.' does NOT have access to this page';
}


?>

I have no idea what I'm missing. When I submit my credentials it says "SRAY does have access to this page". Which is what it is suppose to say since SRAY is part of that group. It also says this for another username/pass that is NOT part of that security group.

2 answers

solution1
 1  2012-12-06 16:59:55

Your filter is looking for any user that is a direct member of the Internet-Purchasing-Allowed group. You need to add (sAMAccountName=$valid_session_username) to your filter.

solution2
 0  2014-05-12 07:48:08

  1. You must define sAMAccountname in your filter 

     //MEMBER OF THIS GROUP $dn = "DC=FLRC,DC=local"; $group = "CN=Internet-Purchasing-Allowed,OU=Security Groups,DC=FLRC,DC=LOCAL"; $filter = "(&(objectClass=user)(sAMAccountname=".$valid_session_username.")(memberOf=".$group."))";

  2. You must bind the LDAP with an account that has the necessary rights. Create an administrator account that has read permissions on all the "OU=Security Groups". Then bind with it in your code. 

     $bd = ldap_bind( $ad, $admin_session_username."@flrc.local", $admin_session_password) or die("Can't bind to server.");

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to retrieve user info fra a Active Directory Security Group using LDAP and PHP PHP/ldap_bind Active Directory can't authenticate OU, but can authenticate with default user group Checking for group membership in Active Directory using LDAP and PHP Authenticating users from a certain group ldap active directory Updating user fields in Active Directory with ldap_mod_replace Getting user credentials from Active Directory using LDAP User authentication through private IP LDAP/Active Directory from website Infrastructure for Automatic User Logon (SSO) with Active Directory / LDAP / NTLM ldap authentication - active directory and php Connect an active directory or LDAP with PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM