-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathLDAPSearcher.php
133 lines (119 loc) · 3.47 KB
/
LDAPSearcher.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
<?php
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/**
* Description of LDAPSearcher
*
* @author Brad
*/
require_once 'User.php';
require_once 'LDAPSearcherConf.php';
class LDAPSearcher {
protected $conn;
/*
* See if the supplied username exists in the LDAP server
*
* returns 0 if not found
* returns a User object if successful
*/
public function getUser($username)
{
//check to see if username is in LDAP group.
//if(!isset($this->conn))
//{
$this->conn = ldap_connect(LDAPHost) or die("Counld not contact LDAP Server!");
// }
ldap_bind($this->conn, LDAPServiceAccount, LDAPServiceAccountPassword) or die("Could not bind to LDAP Server");
$result = ldap_search($this->conn, LDAPBaseDN, "(".LDAPUserAccountAttribute."=$username)", array(LDAPUserAccountAttribute, LDAPUserMailAttribute));
if($result == false)
{
ldap_unbind($this->conn);
return 0;
}
$entries = ldap_get_entries($this->conn, $result);
if($entries['count'] <= 0)
{
return 0;
}
//loop through results and manually check account name attribute returned
//this is done because samaccountname in AD does not do a case sensity search and might mess up
$user = new User();
for($i = 0; $i < $entries['count']; $i++)
{
if($username == $entries[$i][LDAPUserAccountAttribute]['0'])
{
$user->setUserName($username);
$user->setEmail($entries[$i][LDAPUserMailAttribute]);
$user->setUserType(0);
ldap_unbind($this->conn);
return $user;
}
}
return 0;
}
/*
* Checks if the user is an Admin for the Library based on group membership
* and checks the users username and password
*
* returns 1 if the user is an admin
* returns 0 if the user is NOT an admin
* returns -1 on a login failure
*/
public function isAdmin($username, $password){
//if(!isset($this->conn))
//{
$this->conn = ldap_connect(LDAPHost) or die("Could not contact LDAP server");
//}
if(ldap_bind($this->conn, $username.'@'.LDAPDomain, $password))
{
$result = ldap_search($this->conn, LDAPBaseDN, "(".LDAPUserAccountAttribute."=$username)", array(LDAPUserAccountAttribute, LDAPUserMailAttribute));
if($result == false)
{
ldap_unbind($this->conn);
return 0;
}
$entries = ldap_get_entries($this->conn, $result);
//var_dump($entries);
if($entries['count'] <= 0)
{
ldap_unbind($this->conn);
return 0;
}
//loop through results and manually check account name attribute returned
//this is done because samaccountname in AD does not do a case sensity search and might mess up
for($i = 0; $i < $entries['count']; $i++)
{
//User name match
if($username == $entries[$i][LDAPUserAccountAttribute]['0'])
{
//Get user DN string
$userDN = $entries[$i]['dn'];
//Read LDAP properties for user DN, filtered for group membership
$groupResult = ldap_read($this->conn, $userDN, "(memberof=".LDAPUserAdminGroup.")", array("members"));
//Nothing returned from the read
if($groupResult == false)
{
ldap_unbind($this->conn);
return 0;
}
//Get LDAP entries
$groupEntries = ldap_get_entries($this->conn, $groupResult);
if($groupEntries['count'] > 0)
{
ldap_unbind($this->conn);
return 1;
}
}
}
}
else
{
//login failure
return -1;
}
return 0;
}
}
?>