[K12OSN] Help with php-ldap
Brian Chivers
brian at portsmouth-college.ac.uk
Thu Oct 30 14:42:00 UTC 2008
Ben Dailey wrote:
> On Thu, Oct 30, 2008 at 9:38 AM, Brian Chivers
> <brian at portsmouth-college.ac.uk <mailto:brian at portsmouth-college.ac.uk>>
> wrote:
>
> Ben Dailey wrote:
>
> On Thu, Oct 30, 2008 at 5:15 AM, Brian Chivers
> <brian at portsmouth-college.ac.uk
> <mailto:brian at portsmouth-college.ac.uk>> wrote:
>
> Ben Dailey wrote:
>
> On Wed, Oct 29, 2008 at 5:07 PM, Brian Chivers
> <brian at portsmouth-college.ac.uk
> <mailto:brian at portsmouth-college.ac.uk>> wrote:
>
> Has anyone done anything with php-ldap ??
>
> I'm trying to write a php script that will return
> the users with there
> gidNumber but what I have doesn't return the gidNumber.
>
> I can post my script so far if it helps.
>
> Thanks
> Brian Chivers
> Portsmouth College
>
>
> ------------------------------------------------------------------------------------------------
> The views expressed here are my own and not necessarily
>
> the views of Portsmouth College
>
> Brian,
>
> I have written a authentication script which we use in
> house to do
> authentication. What kind of ldap directory are you
> trying to query?
> If you post your script and php version. I will do my
> best at giving a
> hand.
>
> Thanks,
> Ben Dailey
> Asst. Technology Director
> Bluffton-Harrison MSD
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com <mailto:K12OSN at redhat.com>
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
> Thanks for the offer :-)
>
> It's a openldap server & we're running php5
>
> The script I've got below is something I found on the web
> and it sort of
> works but doesn't show the gidNumber & I'd like to have this
> as I don't want
> students (gid=501) to be authenticated only staff (various gids)
>
> <?php
> // basic sequence with LDAP is connect, bind, search,
> interpret search
> // result, close connection
> $ldaphost = "alpha.portsmouth-college.ac.uk
> <http://alpha.portsmouth-college.ac.uk>";
> $username = "Manager";
> $binddn = "cn=$username,dc=portsmouth-college,dc=ac,dc=uk";
> // ldap rdn
> or dn
> $bindpass = "special_password"; // associated password
>
> echo "<h3>LDAP query test</h3>";
> echo "Connecting ...";
> $ds=ldap_connect($ldaphost); // must be a valid LDAP server!
> echo "connect result is " . $ds . "<br />";
>
> if ($ds) {
> echo "Binding ...";
> $r=ldap_bind($ds,$binddn,$bindpass);
> echo "Bind result is " . $r . "<br />";
>
> echo "Searching for (cn=*) ...";
> // Search surname entry
> $sr=ldap_search($ds,"dc=portsmouth-college,dc=ac,dc=uk",
> "cn=*");
> echo "Search result is " . $sr . "<br />";
>
> echo "Number of entires returned is " .
> ldap_count_entries($ds, $sr) .
> "<br />";
>
> echo "Getting entries ...<p>";
> $info = ldap_get_entries($ds, $sr);
> echo "Data for " . $info["count"] . " items returned:<p>";
>
> for ($i=0; $i<$info["count"]; $i++) {
> echo "Loop count: " . $i . "<br />";
>
> Replace the following echoes with:
> echo "<pre>";
> print_r($info[$i]);
> echo "</pre>";
>
> echo "gidNumber is: ". $info[$i]["gidNumber"]."<br />";
> echo "dn is: " . $info[$i]["dn"] . "<br />";
> echo "first cn entry is: " . $info[$i]["cn"][0] . "<br
> />";
> echo "first mail entry is: " . $info[$i]["mail"][0] .
> "<br /> <hr
> />";
>
> End replacement of the echoes.
>
> }
>
> echo "Closing connection";
> ldap_close($ds);
>
> } else {
> echo "<h4>Unable to connect to LDAP server</h4>";
> }
> ?>
>
> This is a auth script that works but doesn't block students
> it's just a yes
> or no and I don't know enough about php YET to work out how
> to fail the
> authentication if the gidNumber is 501
>
> <?php
>
> $ldapconfig['host'] = 'alpha.portsmouth-college.ac.uk
> <http://alpha.portsmouth-college.ac.uk>';
> $ldapconfig['port'] = NULL;
> $ldapconfig['basedn'] = 'dc=portsmouth-college,dc=ac,dc=uk';
> $ldapconfig['authrealm'] = 'My Realm';
>
> function ldap_authenticate() {
> global $ldapconfig;
> global $PHP_AUTH_USER;
> global $PHP_AUTH_PW;
>
> if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
>
> $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
> $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' .
> $PHP_AUTH_USER);
> if ($r) {
> $result = @ldap_get_entries( $ds, $r);
>
> If you are getting the gidNumber returned in the above example
> the try
> replacing the follow if section:
> if ($result[0] && $result[0][gidNumber]!=501) {
>
> if ($result[0]) {
> if (@ldap_bind( $ds, $result[0]['dn'],
> $PHP_AUTH_PW) ) {
> return $result[0];
> }
> }
> }
> }
> header('WWW-Authenticate: Basic
> realm="'.$ldapconfig['authrealm'].'"');
> header('HTTP/1.0 401 Unauthorized');
> return NULL;
> }
>
> if (($result = ldap_authenticate()) == NULL) {
> echo('Authorization Failed');
> exit(0);
> }
> echo('Authorization success');
> echo('<br>');
> print_r($result);
>
> ?>
>
>
> Brian,
>
> Comments and some code changes included inline above. Let me
> know how
> that turns out for you.
>
> HTH,
> Ben
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com <mailto:K12OSN at redhat.com>
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
> OK altered the first script at per comments and this is ones of the
> result is below, it looks like it is retrieving the gidnumber etc
> but not sure how to alter script so it only shows cn, uidnumber &
> gidnumber. (bits I need for the rest of my magical script)
>
> I've had a bit of a think about how I'm going to do this, I'm think
> about putting the page that staff access behind a .htaccess that is
> setup so only staff get through as I have this working already but I
> still need to retrieve the uidnumber etc from ldap so I can enter it
> into a database so the line below won't be needed :-)
>
>
> if ($result[0] && $result[0][gidNumber]!=501) {
>
> but it didn't work :-(
>
> Results from first script :-
>
> Loop count: 4
>
> Array
> (
> [objectclass] => Array
> (
> [count] => 5
> [0] => top
> [1] => inetOrgPerson
> [2] => posixAccount
> [3] => shadowAccount
> [4] => sambaSamAccount
> )
>
> [0] => objectclass
> [cn] => Array
> (
> [count] => 1
> [0] => brian
> )
>
> [1] => cn
> [uid] => Array
> (
> [count] => 1
> [0] => brian
> )
>
> [2] => uid
> [uidnumber] => Array
> (
> [count] => 1
> [0] => 1013
> )
>
> [3] => uidnumber
> [gidnumber] => Array
> (
> [count] => 1
> [0] => 512
> )
>
> [4] => gidnumber
> [homedirectory] => Array
> (
> [count] => 1
> [0] => /home/brian
> )
>
> [5] => homedirectory
> [loginshell] => Array
> (
> [count] => 1
> [0] => /bin/bash
> )
>
> [6] => loginshell
> [gecos] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [7] => gecos
> [description] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [8] => description
> [sambalogontime] => Array
> (
> [count] => 1
> [0] => 0
> )
>
> [9] => sambalogontime
> [sambalogofftime] => Array
> (
> [count] => 1
> [0] => 2147483647
> )
>
> [10] => sambalogofftime
> [displayname] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [11] => displayname
> [sambalogonscript] => Array
> (
> [count] => 1
> [0] => startup.bat
> )
>
> [12] => sambalogonscript
> [sambaprofilepath] => Array
> (
> [count] => 1
> [0] => \\RHO2\profiles\brian
> )
>
> [13] => sambaprofilepath
> [sambahomepath] => Array
> (
> [count] => 1
> [0] => \\RHO2\homes\brian
> )
>
> [14] => sambahomepath
> [sambahomedrive] => Array
> (
> [count] => 1
> [0] => P:
> )
>
> [15] => sambahomedrive
> [sambalmpassword] => Array
> (
> [count] => 1
> [0] => 985CC3D8A9671FCDAAD3B435B51404EE
> )
>
> [16] => sambalmpassword
> [sambantpassword] => Array
> (
> [count] => 1
> [0] => F97C55B222D47D85D922EDC6C113585E
> )
>
> [17] => sambantpassword
> [sambapwdlastset] => Array
> (
> [count] => 1
> [0] => 1116514670
> )
>
> [18] => sambapwdlastset
> [userpassword] => Array
> (
> [count] => 1
> [0] => {SSHA}YwnYwZKpziq6NR42i9oOBApYzHVXTWM1
> )
>
> [19] => userpassword
> [givenname] => Array
> (
> [count] => 1
> [0] => Brian
> )
>
> [20] => givenname
> [sn] => Array
> (
> [count] => 1
> [0] => Chivers
> )
>
> [21] => sn
> [shadowexpire] => Array
> (
> [count] => 1
> [0] => 21915
> )
>
> [22] => shadowexpire
> [sambapwdcanchange] => Array
> (
> [count] => 1
> [0] => 1041379201
> )
>
> [23] => sambapwdcanchange
> [sambadomainname] => Array
> (
> [count] => 1
> [0] => TANGIER
> )
>
> [24] => sambadomainname
> [sambasid] => Array
> (
> [count] => 1
> [0] => S-1-5-21-3889783498-3206798075-3096547488-3026
> )
>
> [25] => sambasid
> [sambaprimarygroupsid] => Array
> (
> [count] => 1
> [0] => S-1-5-21-3889783498-3206798075-3096547488-512
> )
>
> [26] => sambaprimarygroupsid
> [sambaacctflags] => Array
> (
> [count] => 1
> [0] => [U ]
> )
>
> [27] => sambaacctflags
> [mail] => Array
> (
> [count] => 1
> [0] => brian at portsmouth-college.ac.uk
> <mailto:brian at portsmouth-college.ac.uk>
> )
>
> [28] => mail
> [sambakickofftime] => Array
> (
> [count] => 1
> [0] => 2147476447
> )
>
> [29] => sambakickofftime
> [sambapwdmustchange] => Array
> (
> [count] => 1
> [0] => 1337565435
> )
>
> [30] => sambapwdmustchange
> [count] => 31
> [dn] => uid=brian,ou=Users,dc=portsmouth-college,dc=ac,dc=uk
>
> )
>
>
> Brian,
>
> It looks like the if will need to look like this:
> $gid=$result[0][gidnumber][0];
> echo $gid;
> if ($result[0] && $gid!=501) {
> $uidNumber=$result[0][uidnumber][0];
> echo $uid;
>
> Let me know if this works.
> Ben
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
:-)
That's got it, now on the the next steps :-)
Thanks gain for all the help
Brian
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list