?
Solved

php 5.3 LDAP login member of

Posted on 2013-11-22
4
Medium Priority
?
1,088 Views
Last Modified: 2013-11-24
hello,
i have a problem with this script:
login.php
<?php
include("authenticate.php");
 
// check to see if user is logging out
if(isset($_GET['out'])) {
    // destroy session
    session_unset();
    $_SESSION = array();
    unset($_SESSION['user'],$_SESSION['access']);
    session_destroy();
}
 
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
    // run information through authenticator
    if(authenticate($_POST['userLogin'],$_POST['userPassword']))
    {
        // authentication passed
        header("Location: index.php");
        die();
    } else {
        // authentication failed
        $error = 1;
    }
}
 
// output error to user
if (isset($error)){ echo "Login failed: Incorrect user name, password, or rights<br />";}
 
// output logout success
if (isset($_GET['out'])) echo "Logout successful<br />";
?>
 
<form method="post" action="login.php">
    User: <input type="text" name="userLogin" /><br />
    Password: <input type="password" name="userPassword" /><br />
    <input type="submit" name="submit" value="Submit" />
</form>

Open in new window


authenticate.php
<?php
function authenticate($user, $password) {
    // Active Directory server
    $ldap_host = "xxxx";
 
    // Active Directory DN
    $ldap_dn = "OU=ou,DC=dc,DC=dc";
 
    // Active Directory user group
    $ldap_user_group = "Intranet Users";
 
    // Active Directory manager group
    $ldap_manager_group = "Intranet Admin";
 
    // Domain, for purposes of constructing $user
    $ldap_usr_dom = "@xxxx.xx";
 
    // connect to active directory
    $ldap = ldap_connect($ldap_host);
 
    // verify user and password
    if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
        // valid
        // check presence in groups
        $filter = "(sAMAccountName=" . $user . ")";
        $attr = array("memberof");
        $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
        $entries = ldap_get_entries($ldap, $result);
        ldap_unbind($ldap);
 
		//echo $entries;
        // check groups
        foreach($entries[0]['memberof'] as $grps) {
            // is manager, break loop
            if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
 
            // is user
            if (strpos($grps, $ldap_user_group)) $access = 1;
        }
 
        if ($access != 0) {
            // establish session variables
            $_SESSION['user'] = $user;
            $_SESSION['access'] = $access;
            return true;
        } else {
            // user has no rights
            return false;
        }
 
    } else {
        // invalid name or password
        return false;
    }
}
?>

Open in new window


i have this error:
PHP Notice:  Undefined index: memberof in C:\inetpub\wwwroot\authenticate.php on line 33
PHP Warning:  Invalid argument supplied for foreach() in C:\inetpub\wwwroot\authenticate.php on line 33
PHP Notice:  Undefined variable: access in C:\inetpub\wwwroot\authenticate.php on line 41

line 33 -->      
        foreach($entries[0]['memberof'] as $grps) {

Open in new window


ligne 41-->    
        if ($access != 0) {

Open in new window



can you help us.
regards.
0
Comment
Question by:iddisarl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39668696
$entries appears to be created on line 28 with this instruction:

$entries = ldap_get_entries($ldap, $result);

Please add var_dump($entries) and post the output here.
0
 

Author Comment

by:iddisarl
ID: 39670553
hello thank you for your help,
if i disable error reporting and use var_dump
i have this output:
array(2) { ["count"]=> int(1) [0]=> array(2) { ["count"]=> int(0) ["dn"]=> string(41) "CN=test,OU=MYOU,DC=MYDC,DC=MYDCLTD" } }
if i enable error reporting i still have the same errors
regards
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1500 total points
ID: 39670586
That tells us that the output from ldap_get_entries() looks this way

array
( ["count"]=> int(1)
, [0]=> array
        ( ["count" ] => int(0)
        , ["dn"]     => "CN=test,OU=MYOU,DC=MYDC,DC=MYDCLTD" 
        ) 
)

Open in new window

In other words, $entries[0] has two elements named "count" and "dn" but nothing named "memberof" is in there.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 39672722
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question