我是PHP新手,正在使用LDAP登录脚本,该脚本将使用组织凭据登录LDAP服务器,然后在Active Directory中验证用户的用户名和密码。
有几个很好的例子,我一直在关注this one,修改它以满足我的特殊需求
我的问题是 - 在我的orgainization的旧系统(在经典ASP中),有2个功能:
BindReturnUPN(username,domain)(这会返回'userPrincipalName')
BindAuthUPN(upn,password)(这会从'userPrincipalName'函数中获取BindReturnUPN,然后返回error number和error description,这将决定是否$_SESSION['access']用户已登录。)
在这个PHP示例中,是否有类似于Classic ASP系统中使用的2个函数? 我一直在想我可以使用组织登录凭证'硬编码'来访问LDAP,然后搜索匹配的用户名和密码(来自表单),虽然我不确定如何检查绑定他们。也许内部if / then条件检查用户名/密码绑定,在外部组织凭证绑定检查? 这个脚本对我有用,表明我已成功登录,但我不确定绑定以及如何检查AD的用户名/密码。感谢任何线索。
到目前为止,这是我的代码(<?php
// initialize session
session_start();
include("authenticate.php");
// check to see if user is logging out
if(isset($_GET['out'])) {
// destroy session
session_unset();
$_SESSION = array();
unset($_SESSION['user'],$_SESSION['access']);
session_destroy();
}
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
// run information through authenticator
if(authenticate($_POST['userLogin'],$_POST['userPassword']))
{
// authentication passed
header("Location: protected.php");
die();
} else {
// authentication failed
$error = 1;
}
}
// output error to user
if(isset($error)) echo "Login failed: Incorrect user name, password, or rights<br />";
// output logout success
if(isset($_GET['out'])) echo "Logout successful";
?>
<form action="login.php" method="post">
User: <input type="text" name="userLogin" /><br />
Password: <input type="password" name="userPassword" />
<input type="submit" name="submit" value="Submit" />
</form>
变量确定用户是否已登录):
的login.php
<?php
function authenticate($user, $password) {
if(empty($user) || empty($password)) return false;
// active directory server
$ldap_host = "server.college.school.edu";
// active directory DN (base location of ldap search)
$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";
// active directory user group name
$ldap_student_group = "ALL-STUDENTS";
// domain, for purposes of constructing $user
$ldap_usr_dom = 'college\web-account';
$ldap_password = "password_students";
// connect to active directory
$ldap = ldap_connect($ldap_host);
// configure ldap params
ldap_set_option($ldap,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap,LDAP_OPT_REFERRALS,0);
// verify user and password
//if($bind = @ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
if($bind = @ldap_bind($ldap, $ldap_usr_dom, $ldap_password)) {
// valid
// check presence in groups
//$filter = "(sAMAccountName=".$user.")";
$filter = "(cn=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
// check groups
$access = 0;
foreach($entries[0]['memberof'] as $grps) {
// is student group, break loop
if(strpos($grps, $ldap_student_group)) { $access = 2; break; }
}
if($access != 0) {
// establish session variables
echo '<br>access'.$access.'<br>';
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
}
?>
authenticate.php
<?php
// initialize session
session_start();
echo '<br>access'.$_SESSION['access'].'<br>';
if(!isset($_SESSION['user'])) {
// user is not logged in, do something like redirect to login.php
header("Location: login.php");
die();
}
if($_SESSION['access'] != 2) {
// another example...
// user is logged in but not a student, let's stop him
die("Access Denied");
}
?>
<p>Welcome <?= $_SESSION['user'] ?>!</p>
<p><strong>Secret Protected Content Here!</strong></p>
<p>Mary Had a Little Lamb</p>
<p><a href="login.php?out=1">Logout</a></p>
protected.php
<?php
$str = 'u1=something;u2=somethingelse;u3=cat,matt,bat,hat;u4=anotherthing;u5=yetanotherthing;';
$split = explode(';', $str);
foreach ($split as $key => $value) {
$subsplit = explode('=',$value);
if ($subsplit[0] == 'u3') {
echo $subsplit[1];
preg_match_all('/,/', $subsplit[1], $matches, PREG_OFFSET_CAPTURE);
}
}
var_dump($matches);