• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 911
  • Last Modified:

php authenication against active directory question

This script worked fine when we had an active directory administrative account but now they have taken that away. The functions in the script first verify that there is connectivity to the server then the getGroup function connects using an administrative username/pass and retrived the groups a user was associated with and if one of the three was a match, well that's enough, it basically hung up at the part where the group information is retrieved from the ad server. I've tried just allowing the user to do this but it doesn't work it stop at the ldap search.

Successful bind to ad.ufl.edu with 1

Successful bind to ad.ufl.edu with 1

Unable to search ldap server


<?php
      mysql_connect(");
      mysql_select_db("");

function domainAuth($login, $pass){      
      $ldap_host = "ad.ufl.edu";
      $base_dn = "OU=FRE,OU=IFAS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu";
      
      $domain = "@ufl.edu";
      $ldap_user = $login.$domain;
      $ldap_pass = $pass;
if (empty($pass) )
                  exit ("Go back and enter your password");      
//      $connect = ldap_connect( $ldap_host, $ldap_port)
      $connect = ldap_connect( $ldap_host)
       or exit("Could not connect to LDAP server");

      // required to search AD, according to note in PHP manual notes
      ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
      ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

      $bind = ldap_bind($connect, $ldap_user, $ldap_pass)
           or exit("Could not bind to $ldap_host");

      echo "Successful bind to $ldap_host with $bind<br><br>\n";
      
ldap_unbind($connect);
}



function getGroup($login, $pass){

      $ldap_host = "ad.ufl.edu";
      $base_dn = "OU=FRE,OU=IFAS,OU=People,OU=UF,DC=ad,DC=ufl,DC=edu";
      $filter = "(CN=$login)";
$domain = "@ufl.edu";
      $ldap_user = $login.$domain;
      $ldap_pass = $pass;
// This is where we proviously had a username and pass of an admin account that could get group memberships of other users.
//      $ldap_user = "user";
//      $ldap_pass = "pass";


$connect = ldap_connect( $ldap_host)
       or exit("Could not connect to LDAP server");

      // required to search AD, according to note in PHP manual notes
      ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
      ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

      $bind = ldap_bind($connect, $ldap_user, $ldap_pass)
           or exit("Could not bind to $ldap_host");

      echo "Successful bind to $ldap_host with $bind<br><br>\n";

      $read = ldap_search($connect, $base_dn, $filter)
           or exit("Unable to search ldap server");

      $info = ldap_get_entries($connect, $read);
      echo $info["count"]." entries returned for $filter<br><br>\n";

      $ii=0;
      for ($i=0; $ii<$info[$i]["count"]; $ii++){
            $data = $info[$i][$ii];
            if ($data == "memberof") {
                  $total_memberof = (count($info[$i][$data]));
                  echo "Total memberof entries returned: $total_memberof<br><br>\n";
                  $total = 0;
                  $total = count($info[$i][$data]);
                  $jj=0;
                  for ($jj=0; $jj<$total; $jj++) {
                        if ($info[$i][$data][$jj] == "CN=. IFAS-FREDStaff,OU=Groups,OU=FRE,OU=IFAS,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu") {
                              //echo "<b>Got Staff Match</b> ";
                              $group = "IF-FREDStaff";
                              return $group;
                        } elseif (($info[$i][$data][$jj] == "CN=. IFAS-FREDFaculty,OU=Groups,OU=FRE,OU=IFAS,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu") && $group == "") {
                              //echo "<b>Got Faculty Match</b> ";
                              $group = "faculty";
                              return $group;
                        } elseif (($info[$i][$data][$jj] == "CN=. IFAS-FREDGrad,OU=Groups,OU=FRE,OU=Departments,OU=UF,DC=ad,DC=ufl,DC=edu") && $user_type == "") {
                              //echo "<b>Got Students Match</b> ";
                              $group = "student";
                              return $group;
                        }
                  //      echo $i." ".$ii." ".$jj."
// ".$data.":&nbsp;&nbsp;".$info[$i][$data][$jj]."<br>\n";
                  }
            }
      }

      ldap_unbind($connect);
}

function inFRE($ID){
            $query = "SELECT * FROM directory WHERE username='$ID'";
            $result = mysql_query($query);
            if(mysql_num_rows($result) == 1 ) {
                  $located= mysql_num_rows($result);
                  $data = mysql_fetch_object($result);
            } else {
                  $query = "SELECT * FROM students WHERE ID='$ID'";
                  $result = mysql_query($query);
                  $located= mysql_num_rows($result);
                  $data = mysql_fetch_object($result);
            }

            if($located){
                  return true;
                  //$this->inFRE = true;
            } else {
                  return false;
                  //$this->inFRE = false;
            }
}




function hasBios($ID){
      $query = "SELECT * FROM directory WHERE username='$ID'";
            $result = mysql_query($query);
            if(mysql_num_rows($result) == 1 ) {
                  $data = mysql_fetch_object($result);
                  $type = $data->type;
            } else {
                  $query = "SELECT * FROM students WHERE ID='$ID'";
                  $result = mysql_query($query);
                  if(mysql_num_rows($result) == 1 ) {
                        $type = "Student";
                  }
            }      
                        

      if ($type == "Student"){
          $database = "student_bios";
      } elseif ($type == "Faculty"){
          $database = "faculty_bios";
      } elseif ($type == "Staff"){
          $database = "staff_bios";
      }

      $query = "SELECT bios_ID FROM $database WHERE bios_ID='$ID'";
      $result = mysql_query($query);
      $hasBios = mysql_num_rows($result);
      return $hasBios;
}


function createSession($login_user){
      global $HTTP_REFERER;
      session_start();
      session_id();
      $_SESSION["Username"] = "$login_user";
      $_SESSION["LoggedIn"] = 1;
      $sessionID = session_id();
      //SetCookie("sessionID", $sessionID);
      Header("Location: $HTTP_REFERER");
      return 1;
}

?>
0
adamshields
Asked:
adamshields
  • 3
  • 2
1 Solution
 
jdpipeCommented:
please clarify what you mean by "active directory administrative account"
are you referring to an ISP feature, or something else. Or is this LDAP terminology?
who is 'they'?
JP
0
 
adamshieldsAuthor Commented:
Lol, sorry about my lame explanation of what's going on.

Our department had accounts that could view other users information. When the college took away those accounts, then we no longer had a single account that could view other users' group memberships.

  $read = ldap_search($connect, $base_dn, $filter)
          or exit("Unable to search ldap server");

This is where the script stops.

If it didn't then it would return results similar to this page http://itns.ifas.ufl.edu/userinfo/index.asp just plugin the user rsreese

The function should allow the user to retrieve their information from the ldap/active directory but I think I am telling the function to do the wrong thing, since now the user needs to see it's own info not a user seeing someone else's directory into.

0
 
jdpipeCommented:
Ok so perhaps you should try using the ldap_error function to get more information on what the LDAP server is telling you.

  $read = ldap_search($connect, $base_dn, $filter)
          or exit("Unable to search ldap server: Error: ".ldap_error());
JP
0
 
adamshieldsAuthor Commented:
Unable to search ldap server: Error:

for some reason it's not displaying more specific information about the error.

Here's what I have for code just incase I missed something.

....
cho "Successful bind to $ldap_host with $bind<br><br>\n";

      $read = ldap_search($connect, $base_dn, $filter)
           or exit("Unable to search ldap server: Error: ".ldap_error());

      $info = ldap_get_entries($connect, $read);
      echo $info["count"]." entries returned for $filter<br><br>\n";
.....
0
 
jdpipeCommented:
Hmm nothing obvious. I think there's also an ldap_errno function or something like that which you could also try...
JP
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now