[K12OSN] Help with php-ldap

Thu Oct 30 12:41:51 UTC 2008

On Thu, Oct 30, 2008 at 5:15 AM, Brian Chivers
<brian at portsmouth-college.ac.uk> wrote:
> Ben Dailey wrote:
>>
>> On Wed, Oct 29, 2008 at 5:07 PM, Brian Chivers
>> <brian at portsmouth-college.ac.uk> wrote:
>>>
>>> Has anyone done anything with php-ldap ??
>>>
>>> I'm trying to write a php script that will return the users with there
>>> gidNumber but what I have doesn't return the gidNumber.
>>>
>>> I can post my script so far if it helps.
>>>
>>> Thanks
>>> Brian Chivers
>>> Portsmouth College
>>>
>>>
>>> ------------------------------------------------------------------------------------------------
>>>  The views expressed here are my own and not necessarily
>>>
>>>              the views of Portsmouth College
>>
>> Brian,
>>
>> I have written a authentication script which we use in house to do
>> authentication. What kind of ldap directory are you trying to query?
>> If you post your script and php version. I will do my best at giving a
>> hand.
>>
>> Thanks,
>> Ben Dailey
>> Asst. Technology Director
>> Bluffton-Harrison MSD
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>
> Thanks for the offer :-)
>
> It's a openldap server & we're running php5
>
> The script I've got below is something I found on the web and it sort of
> works but doesn't show the gidNumber & I'd like to have this as I don't want
> students (gid=501) to be authenticated only staff (various gids)
>
> <?php
> // basic sequence with LDAP is connect, bind, search, interpret search
> // result, close connection
> $ldaphost = "alpha.portsmouth-college.ac.uk";
> $username = "Manager";
> $binddn  = "cn=$username,dc=portsmouth-college,dc=ac,dc=uk";     // ldap rdn
> or dn
> $bindpass = "special_password";  // associated password
>
> echo "<h3>LDAP query test</h3>";
> echo "Connecting ...";
> $ds=ldap_connect($ldaphost);  // must be a valid LDAP server!
> echo "connect result is " . $ds . "<br />";
>
> if ($ds) {
>    echo "Binding ...";
>    $r=ldap_bind($ds,$binddn,$bindpass);
>    echo "Bind result is " . $r . "<br />";
>
>    echo "Searching for (cn=*) ...";
>    // Search surname entry
>    $sr=ldap_search($ds,"dc=portsmouth-college,dc=ac,dc=uk", "cn=*");
>    echo "Search result is " . $sr . "<br />";
>
>    echo "Number of entires returned is " . ldap_count_entries($ds, $sr) .
> "<br />";
>
>    echo "Getting entries ...<p>";
>    $info = ldap_get_entries($ds, $sr);
>    echo "Data for " . $info["count"] . " items returned:<p>";
>
>    for ($i=0; $i<$info["count"]; $i++) {
>        echo "Loop count: " . $i . "<br />";
Replace the following echoes with:
echo "<pre>";
print_r($info[$i]);
echo "</pre>";
>         echo "gidNumber is: ". $info[$i]["gidNumber"]."<br />";
>        echo "dn is: " . $info[$i]["dn"] . "<br />";
>        echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
>        echo "first mail entry is: " . $info[$i]["mail"][0] . "<br /> <hr
> />";
End replacement of the echoes.
>    }
>
>    echo "Closing connection";
>    ldap_close($ds);
>
> } else {
>    echo "<h4>Unable to connect to LDAP server</h4>";
> }
> ?>
>
> This is a auth script that works but doesn't block students it's just a yes
> or no and I don't know enough about php YET to work out how to fail the
> authentication if the gidNumber is 501
>
> <?php
>
> $ldapconfig['host'] = 'alpha.portsmouth-college.ac.uk';
> $ldapconfig['port'] = NULL;
> $ldapconfig['basedn'] = 'dc=portsmouth-college,dc=ac,dc=uk';
> $ldapconfig['authrealm'] = 'My Realm';
>
> function ldap_authenticate() {
>    global $ldapconfig;
>    global $PHP_AUTH_USER;
>    global $PHP_AUTH_PW;
>
>    if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
>        $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
>        $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' .
> $PHP_AUTH_USER);
>        if ($r) {
>            $result = @ldap_get_entries( $ds, $r);
If you are getting the gidNumber returned in the above example the try
replacing the follow if section:
if ($result[0] && $result[0][gidNumber]!=501) {
>            if ($result[0]) {
>                if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
>                    return $result[0];
>                }
>            }
>        }
>    }
>    header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
>    header('HTTP/1.0 401 Unauthorized');
>    return NULL;
> }
>
> if (($result = ldap_authenticate()) == NULL) {
>    echo('Authorization Failed');
>    exit(0);
> }
> echo('Authorization success');
> echo('<br>');
> print_r($result);
>
> ?>

Brian,

Comments and some code changes included inline above. Let me know how
that turns out for you.

HTH,
Ben