我能够绑定到AD服务器,但我无法理解如何验证特定组中的成员身份。我想要做的是检查用户是否是“DOMAIN \ IT”组的一部分,如果是这样,请分配一个我以后可以使用的会话变量。以下是我到目前为止的情况:
if (isset($_POST["submit"])){
$ldaprdn = "DOMAIN\\" . $_POST["username"]; // ldap rdn or dn
$ldappass = $_POST["password"]; // associated password
} else {
$ldaprdn = "noUserName"; // ldap rdn or dn
$ldappass = "noPassWord"; // associated password
}
//check login form post submission and blank values
if (isset($_POST["submit"])){
if ($_SESSION["blanklogin"] !== "1"){
// connect to ldap server
$ldapconn = ldap_connect("DC01.ROOT.DOMAIN.ORG")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
$_SESSION["login"] = "1";
TODO: CHECK GROUP MEMBERSHIP - IF IN GROUP DOMAIN\IT then set session variable.
session_regenerate_id( true );
echo "LDAP Bind For "; echo $ldaprdn; echo " successful...";
echo "Login Successful";
header("Location: index.php");
} else {
echo "LDAP bind for "; echo $ldaprdn; echo " Failed...<br />";
$_SESSION["login"] = "0";
}
$_SESSION["blanklogin"] = "0";
ldap_unbind( $ldapconn );
}
} else {
echo "Username & Password Required<br />";
}
}
答案 0 :(得分:0)
以下代码取自我的一个项目,并返回用户所属的组名列表,包括递归。您应该可以使用它来检查您想要的内容:
$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
// Do something to handle connection failure here, this is just what I did.
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException();
$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword);
// Do something to handle binding failure here, this is just what I did.
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException();
$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn"));
// Do something to handle query failure here, this is just what I did.
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection));
$groups = ldap_get_entries($ldapConnection, $result);
$groupNames = array();
for ($i = 0; $i < $groups['count']; $i++)
{
$groupNames[] = $groups[$i]['samaccountname'][0];
}
return $groupNames;