使用php和LDAP验证AD组成员身份

时间:2014-04-24 13:36:41

标签: php active-directory ldap

我能够绑定到AD服务器,但我无法理解如何验证特定组中的成员身份。我想要做的是检查用户是否是“DOMAIN \ IT”组的一部分,如果是这样,请分配一个我以后可以使用的会话变量。以下是我到目前为止的情况:

    if (isset($_POST["submit"])){

    $ldaprdn  = "DOMAIN\\" . $_POST["username"];     // ldap rdn or dn
    $ldappass = $_POST["password"];  // associated password
    } else {
    $ldaprdn  = "noUserName";     // ldap rdn or dn
    $ldappass = "noPassWord";  // associated password
    }

     //check login form post submission and blank values
    if (isset($_POST["submit"])){
        if  ($_SESSION["blanklogin"] !== "1"){
            // connect to ldap server
            $ldapconn = ldap_connect("DC01.ROOT.DOMAIN.ORG")
            or die("Could not connect to LDAP server.");
            if ($ldapconn) {

            // binding to ldap server
            $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

            // verify binding
            if ($ldapbind) {
                $_SESSION["login"] = "1";

   TODO: CHECK GROUP MEMBERSHIP - IF IN GROUP DOMAIN\IT then set session variable.
                session_regenerate_id( true );
                echo "LDAP Bind For "; echo $ldaprdn; echo " successful...";
                        echo "Login Successful";
                        header("Location: index.php");
                    } else {
                   echo "LDAP bind for "; echo $ldaprdn; echo " Failed...<br />";
                    $_SESSION["login"] = "0";
                    }
                $_SESSION["blanklogin"] = "0";
                ldap_unbind( $ldapconn );
                }
                } else {
                echo "Username & Password Required<br />";
            }
          }

1 个答案:

答案 0 :(得分:0)

以下代码取自我的一个项目,并返回用户所属的组名列表,包括递归。您应该可以使用它来检查您想要的内容:

$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);

// Do something to handle connection failure here, this is just what I did.
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException();

$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword);

// Do something to handle binding failure here, this is just what I did.
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException();

$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn"));

// Do something to handle query failure here, this is just what I did.
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection));

$groups = ldap_get_entries($ldapConnection, $result);

$groupNames = array();

for ($i = 0; $i < $groups['count']; $i++)
{
    $groupNames[] = $groups[$i]['samaccountname'][0];
}

return $groupNames;
相关问题
最新问题