Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PHP and LDAP issues for authentication

Status
Not open for further replies.

GigaG

Technical User
Aug 28, 2007
83
US
I have an LDAP database (windows 03 AD) and using php 5.2 to access the database. the problem I am having is getting the member of array to loop and then decide if they are part of the group that is authorized to view the page... below is what i have done so far.


<?
/******globals needed for included pages***/

global $displayname;
global $company;
$user =& JFactory::getUser();

/*************Ens of globals needed for included pages***/

$dn = "OU=Coleman-users,DC=coleman-home,DC=com";

$attributes = array("displayname","memberof","1");

$filter = "(cn=" .$user->name.")";

$ad = ldap_connect("server02.coleman-home.com")
or die("Couldn't connect to AD!");

ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);

$bd = ldap_bind($ad,"administrator@coleman-home.com","****")
or die("Couldn't bind to AD!");

$result = ldap_search($ad, $dn, $filter, $attributes);

$entries = ldap_get_entries($ad, $result);

$i=0;

while($i < 5 ){


$displayname=$entries[0]["displayname"][0];

$member[$i]=$entries[0]["memberof"][$i];
//echo $member[$i];
$i++;
if($member[$i]=="CN=WSS_ADMIN_WPG,CN=Users,DC=coleman-home,DC=com"){


echo "You are authorized to see this" . $displayname. "<br><br>";

//echo $member ."<br>";

exit;



}
else{


echo "you are not authorized";
}
}
//$company=$entries[0]["company"][0];
//echo $member .
"<br />";

//echo $entries[0]["company"][0].
"<br />";
//}

ldap_unbind($ad);

?>


I am able to connect and get the data, so i guess this is more of a php question that anything else.

Thanks

MCP ACA-I CTP
 
it's not clear from your description where your error is. try this perhaps

Code:
<?php
foreach($entries as $entry){
		
   $displayname= is_array($entry["displayname"]) ? $entry['displayname'][0] : $entry['displayname'];
   foreach ($entry['memberof'] as $m){
   	if ($m == "CN=WSS_ADMIN_WPG,CN=Users,DC=coleman-home,DC=com"){
   		echo 'You are authorised to see this. ' . $displayname;
		break (2);
   	}
   }
}
?>
 
to:eek:p

[0] On the face of it, your tempted loop over memberof is already error pronged, such as the positioning of the $i++ etc. Also, I doubt "displayname" return an array at all...

[1] If it is sufficient to check direct memebership only, you can script the memberof directly into the filter and forget about the loop the return for checking. That sufficency of directly membership check is an info related to the design of the particular ad, it would not be a general statement.
[tt]
$filter = "[blue](&[/blue](cn=" .$user->name.")"[blue] . "(memberof=CN=WSS_ADMIN_WPG,CN=Users,DC=coleman-home,DC=com))[/blue]";
[/tt]
[2] If you need to check indirect membership (nested group), then a sort of recursive search is needed. It would need much expansion of the memberof looping: checking the membership of the group in another group...

[2.1] If however you are working on win2k3 up, you can again use a single filter without appealling to recursive search. LDAP_MATCHING_RULE_IN_CHAIN is a new matching rule supported by 2k3 server. This is what it should look like.
[tt]
$filter = "[blue](&[/blue](cn=" .$user->name.")"[blue] . "(memberof:1.2.840.113556.1.4.1941:=(CN=WSS_ADMIN_WPG,CN=Users,DC=coleman-home,DC=com)))[/blue]";
[/tt]
[3] One way or another, the non-empty return of entries
[tt] $entries["count"] != 0[/tt]
would mean that the user is authorization to see the info, otherwise, not authorized.
 
Thank you I ended up doing something similar to tsuji suggestion... and yes the i++ should have been at the end of the statement and the displayname needed to loop for a drop down of names that I was going to use, but I'm not sure why you werer refering to the [0] when I was using [$i] in the memberof section

Thank you in either case for the info.

MCP ACA-I CTP
 
tsuji

What would I user as a filter if i just wanted to search for group membership??

$filter= "(memberof=CN=Sales_Representatives,OU=CINET,OU=CarouselEveryone,DC=CHARLESTOWN,DC=CAROUSELINDUSTRIES,DC=com*))";

This does not seem to work

MCP ACA-I CTP
 
[tt]$filter="(&(cn=jdoe)(objectClass=user)" .
"(memberof=CN=Sales_Representatives,OU=CINET,OU=CarouselEveryone," .
"DC=CHARLESTOWN,DC=CAROUSELINDUSTRIES,DC=com))";[/tt]

ps: I break it into multiple lines to avoid width post.
pps: What is the star at com* for in the above post?
 
cn=jdoe is an illustration of what you'd scripted like user->name, whatever it gives.
 
I'm sorry I didn't ask the right question... i wanted to list all members in the group.

MCP ACA-I CTP
 
Use base search (ldap_read) is enough as you know exact the dn of the group.
[tt]
$dn = "CN=Sales_Representatives,OU=CINET,OU=CarouselEveryone," .
"DC=CHARLESTOWN,DC=CAROUSELINDUSTRIES,DC=com";
$filter = "(objectclass=*)";
$attributes = array("member");
$result = ldap_read($ad, $dn, $filter, $attributes);
[/tt]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top