仅使用sudo用户和密码从PHP使用LDAP验证用户?

时间:2014-04-01 12:17:54

标签: php ldap

如何使用带有sudo用户和密码的LDAP对PHP进行身份验证?

我发现了一个简单的php脚本,用于对用户进行身份验证,但我的ldap数据库中有nosudo用户和sudo用户。

此脚本验证所有用户sudo以及nosudo用户,我只希望sudo用户能够登录。那么请你修改一下吗?

Php脚本 

// get username and password from form


$username = $_POST['username'];


$password = $_POST['password'];
/*
   * checks the credentials against the LDAP server
   * $user - myBYU
   * $pass - password
*/



 function authenticate($user,$pass){

  // prevents guest account access
  if($pass == ""){
     return false;
  }

  try{

     $Yldap_location = "ldap://ldap.byu.edu";
     $ldap_port = 389;

     // call the ldap connect function
     $Ydatabase = ldap_connect($Yldap_location, $ldap_port);

     // bind the connection
     $good = @ldap_bind($Ydatabase, "uid=".$user.",ou=People,o=BYU.edu", $pass);

     if($good){
        // valid credentials
        return true;
     }
     else{
        // invalid credentials
        return false;
     }

  }
  catch(Exception $e){
     return false;
  }


 }

   // call authenticate function



if(authenticate($username,$password)){
  // authenticate successful

     // set session
     $_SESSION['loggedin'] = "true";

     // redirect
     echo $_SESSION['loggedin'];
     $url = "http://orca.byu.edu/iacuc/".$_SESSION['url'];
     header("Location: ".$url);
}


else{

  // authenticate fails

     // redirect to login
     header("Location: http://orca.byu.edu/iacuc/Login.php");


}




**Sudo User Ldif is**
dn: uid=rupesh,ou=example,dc=example,dc=com

cn: Rupesh Jeevanrao Shewalkar

gidnumber: 502

homedirectory: /home/rupesh

loginshell: /bin/bash

mail: rupesh.shewalkar@example.com

mobile: 99999999

objectclass: extensibleObject

objectclass: posixAccount

objectclass: top

objectclass: shadowAccount

objectclass: sudoRole

shadowlastchange: 16148

shadowmax: 99999

shadowmin: 0

shadowwarning: 7

sudocommand: ALL

sudohost: ALL

sudooption: logfile=/var/log/sudo.log

sudooption: timestamp_timeout=5

sudooption: ignore_local_sudoers

sudooption: !env_reset

sudooption: log_year

sudooption: log_host

sudooption: insults

sudouser: rupesh

uid: rupesh

uidnumber: 2164

userpassword: welcome123

------------------------------


**Non sudo user LDIF:**


dn: uid=contactus,ou=example,dc=example,dc=com

cn: contactus

gidnumber: 502

homedirectory: /home/contactus

loginshell: /bin/bash

mail: Contact.Us@example.com

objectclass: extensibleObject

objectclass: posixAccount

objectclass: top

objectclass: shadowAccount

objectclass: sudoRole

shadowlastchange: 15621

shadowmax: 99999

shadowmin: 0

shadowwarning: 7

uid: contactus

uidnumber: 2108

userpassword:welcome@123

1 个答案:

答案 0 :(得分:0)

我首先对具有给定uid的用户执行LDAP搜索,该用户也将属性objectclass设置为 sudorole 。如果没有返回结果,则表示用户名错误或用户不是sudoer。

如果有结果,可以使用结果dn来检查提供的密码。我在https://gist.github.com/heiglandreas/5689592准备了一个完整的代码示例。

您需要调整第38行中从objectclass=posixAccountobjectclass=sudorole的过滤器。

希望有所帮助

相关问题
最新问题