1. 首頁
  2. 問答
  3. 使用php和LDAP驗證AD組成員身份

使用php和LDAP驗證AD組成員身份

2014-04-24 86 views
0

我可以綁定到AD服務器,但我無法理解如何驗證特定組中的成員身份。我想要做的是檢查用戶是否屬於「DOMAIN \ IT」組,如果有,請指定一個會話變量,以便以後使用。以下是我迄今爲止:使用php和LDAP驗證AD組成員身份

if (isset($_POST["submit"])){ 

    $ldaprdn = "DOMAIN\\" . $_POST["username"];  // ldap rdn or dn 
    $ldappass = $_POST["password"]; // associated password 
    } else { 
    $ldaprdn = "noUserName";  // ldap rdn or dn 
    $ldappass = "noPassWord"; // associated password 
    } 

    //check login form post submission and blank values 
    if (isset($_POST["submit"])){ 
     if ($_SESSION["blanklogin"] !== "1"){ 
      // connect to ldap server 
      $ldapconn = ldap_connect("DC01.ROOT.DOMAIN.ORG") 
      or die("Could not connect to LDAP server."); 
      if ($ldapconn) { 

      // binding to ldap server 
      $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); 

      // verify binding 
      if ($ldapbind) { 
       $_SESSION["login"] = "1"; 

    TODO: CHECK GROUP MEMBERSHIP - IF IN GROUP DOMAIN\IT then set session variable. 
       session_regenerate_id(true); 
       echo "LDAP Bind For "; echo $ldaprdn; echo " successful..."; 
         echo "Login Successful"; 
         header("Location: index.php"); 
        } else { 
        echo "LDAP bind for "; echo $ldaprdn; echo " Failed...<br />"; 
        $_SESSION["login"] = "0"; 
        } 
       $_SESSION["blanklogin"] = "0"; 
       ldap_unbind($ldapconn); 
       } 
       } else { 
       echo "Username & Password Required<br />"; 
      } 
      }

來源

2014-04-24 Prince Ali

回答

0

下面的代碼是從我的一個項目採取並返回組名的列表中的用戶是其成員,包括遞歸。你應該可以用它來檢查你想要的東西:

$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort); 
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); 
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); 

// Do something to handle connection failure here, this is just what I did. 
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException(); 

$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword); 

// Do something to handle binding failure here, this is just what I did. 
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException(); 

$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn")); 

// Do something to handle query failure here, this is just what I did. 
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection)); 

$groups = ldap_get_entries($ldapConnection, $result); 

$groupNames = array(); 

for ($i = 0; $i < $groups['count']; $i++) 
{ 
    $groupNames[] = $groups[$i]['samaccountname'][0]; 
} 

return $groupNames;

來源

2014-04-25 14:12:45 Ashigore

+0

很好,非常感謝你@Ashigore! –

相關問題

 相關問題