CODEWITHSUNDEEP
phpactive-directoryldap
user1883053
user1883053

Reputation: 11

Verifying user is part of ldap/active directory security group

Ok... I've dug through the examples and etc on here and I'm still having issues. 

<?php
// SHOW ERRORS 0=NO 1=YES
ini_set('display_errors', '1');


//USER
$valid_session_username = $_POST["username"];
$valid_session_password = $_POST["password"];

//MEMBER OF THIS GROUP
$dn = "DC=FLRC,DC=local";
$group = "CN=Internet-Purchasing-Allowed,OU=Security Groups,DC=FLRC,DC=LOCAL";
$filter = "(&(objectClass=user)(memberOf=$group))";


$ad = ldap_connect("srv-flc-dc03") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ad, LDAP_OPT_REFERRALS,0);
$bd = ldap_bind( $ad, $valid_session_username."@flrc.local", $valid_session_password) or die("Can't bind to server.");
$sr = ldap_search($ad, $dn, $filter);


$found = false;

if ($sr !== false) {
    $count = ldap_count_entries ($ad, $sr);
    if ($count !== false && $count > 0) {
     $found = true;
    }
}

if ($found === true) {
    print $valid_session_username.' does have access to this page';
} else {
    print $valid_session_username.' does NOT have access to this page';
}


?>

I have no idea what I'm missing. When I submit my credentials it says "SRAY does have access to this page". Which is what it is suppose to say since SRAY is part of that group. It also says this for another username/pass that is NOT part of that security group.

Upvotes: 1

Views: 3436

Answers (2)

Antoine Subit
Antoine Subit

Reputation: 9913

  1. You must define sAMAccountname in your filter

    //MEMBER OF THIS GROUP
$dn = "DC=FLRC,DC=local";
$group = "CN=Internet-Purchasing-Allowed,OU=Security Groups,DC=FLRC,DC=LOCAL";
$filter = "(&(objectClass=user)(sAMAccountname=".$valid_session_username.")(memberOf=".$group."))";

  2. You must bind the LDAP with an account that has the necessary rights. Create an administrator account that has read permissions on all the "OU=Security Groups". Then bind with it in your code.

    $bd = ldap_bind( $ad, $admin_session_username."@flrc.local", $admin_session_password) or die("Can't bind to server.");

Upvotes: 0

Sean Hall
Sean Hall

Reputation: 7878

Your filter is looking for any user that is a direct member of the Internet-Purchasing-Allowed group. You need to add (sAMAccountName=$valid_session_username) to your filter.

Upvotes: 1

Related Questions