[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Help with php-ldap



Ben Dailey wrote:
On Thu, Oct 30, 2008 at 5:15 AM, Brian Chivers
<brian portsmouth-college ac uk> wrote:
Ben Dailey wrote:
On Wed, Oct 29, 2008 at 5:07 PM, Brian Chivers
<brian portsmouth-college ac uk> wrote:
Has anyone done anything with php-ldap ??

I'm trying to write a php script that will return the users with there
gidNumber but what I have doesn't return the gidNumber.

I can post my script so far if it helps.

Thanks
Brian Chivers
Portsmouth College


------------------------------------------------------------------------------------------------
 The views expressed here are my own and not necessarily

             the views of Portsmouth College
Brian,

I have written a authentication script which we use in house to do
authentication. What kind of ldap directory are you trying to query?
If you post your script and php version. I will do my best at giving a
hand.

Thanks,
Ben Dailey
Asst. Technology Director
Bluffton-Harrison MSD

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>
Thanks for the offer :-)

It's a openldap server & we're running php5

The script I've got below is something I found on the web and it sort of
works but doesn't show the gidNumber & I'd like to have this as I don't want
students (gid=501) to be authenticated only staff (various gids)

<?php
// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection
$ldaphost = "alpha.portsmouth-college.ac.uk";
$username = "Manager";
$binddn  = "cn=$username,dc=portsmouth-college,dc=ac,dc=uk";     // ldap rdn
or dn
$bindpass = "special_password";  // associated password

echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect($ldaphost);  // must be a valid LDAP server!
echo "connect result is " . $ds . "<br />";

if ($ds) {
   echo "Binding ...";
   $r=ldap_bind($ds,$binddn,$bindpass);
   echo "Bind result is " . $r . "<br />";

   echo "Searching for (cn=*) ...";
   // Search surname entry
   $sr=ldap_search($ds,"dc=portsmouth-college,dc=ac,dc=uk", "cn=*");
   echo "Search result is " . $sr . "<br />";

   echo "Number of entires returned is " . ldap_count_entries($ds, $sr) .
"<br />";

   echo "Getting entries ...<p>";
   $info = ldap_get_entries($ds, $sr);
   echo "Data for " . $info["count"] . " items returned:<p>";

   for ($i=0; $i<$info["count"]; $i++) {
       echo "Loop count: " . $i . "<br />";
Replace the following echoes with:
echo "<pre>";
print_r($info[$i]);
echo "</pre>";
        echo "gidNumber is: ". $info[$i]["gidNumber"]."<br />";
       echo "dn is: " . $info[$i]["dn"] . "<br />";
       echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
       echo "first mail entry is: " . $info[$i]["mail"][0] . "<br /> <hr
/>";
End replacement of the echoes.
   }

   echo "Closing connection";
   ldap_close($ds);

} else {
   echo "<h4>Unable to connect to LDAP server</h4>";
}
?>

This is a auth script that works but doesn't block students it's just a yes
or no and I don't know enough about php YET to work out how to fail the
authentication if the gidNumber is 501

<?php

$ldapconfig['host'] = 'alpha.portsmouth-college.ac.uk';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=portsmouth-college,dc=ac,dc=uk';
$ldapconfig['authrealm'] = 'My Realm';

function ldap_authenticate() {
   global $ldapconfig;
   global $PHP_AUTH_USER;
   global $PHP_AUTH_PW;

   if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
       $ds= ldap_connect($ldapconfig['host'],$ldapconfig['port']);
       $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' .
$PHP_AUTH_USER);
       if ($r) {
           $result = @ldap_get_entries( $ds, $r);
If you are getting the gidNumber returned in the above example the try
replacing the follow if section:
if ($result[0] && $result[0][gidNumber]!=501) {
           if ($result[0]) {
               if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
                   return $result[0];
               }
           }
       }
   }
   header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
   header('HTTP/1.0 401 Unauthorized');
   return NULL;
}

if (($result = ldap_authenticate()) == NULL) {
   echo('Authorization Failed');
   exit(0);
}
echo('Authorization success');
echo('<br>');
print_r($result);

?>

Brian,

Comments and some code changes included inline above. Let me know how
that turns out for you.

HTH,
Ben

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

OK altered the first script at per comments and this is ones of the result is below, it looks like it is retrieving the gidnumber etc but not sure how to alter script so it only shows cn, uidnumber & gidnumber. (bits I need for the rest of my magical script)

I've had a bit of a think about how I'm going to do this, I'm think about putting the page that staff access behind a .htaccess that is setup so only staff get through as I have this working already but I still need to retrieve the uidnumber etc from ldap so I can enter it into a database so the line below won't be needed :-)

if ($result[0] && $result[0][gidNumber]!=501) {

but it didn't work :-(

Results from first script :-

Loop count: 4

Array
(
    [objectclass] => Array
        (
            [count] => 5
            [0] => top
            [1] => inetOrgPerson
            [2] => posixAccount
            [3] => shadowAccount
            [4] => sambaSamAccount
        )

    [0] => objectclass
    [cn] => Array
        (
            [count] => 1
            [0] => brian
        )

    [1] => cn
    [uid] => Array
        (
            [count] => 1
            [0] => brian
        )

    [2] => uid
    [uidnumber] => Array
        (
            [count] => 1
            [0] => 1013
        )

    [3] => uidnumber
    [gidnumber] => Array
        (
            [count] => 1
            [0] => 512
        )

    [4] => gidnumber
    [homedirectory] => Array
        (
            [count] => 1
            [0] => /home/brian
        )

    [5] => homedirectory
    [loginshell] => Array
        (
            [count] => 1
            [0] => /bin/bash
        )

    [6] => loginshell
    [gecos] => Array
        (
            [count] => 1
            [0] => System User
        )

    [7] => gecos
    [description] => Array
        (
            [count] => 1
            [0] => System User
        )

    [8] => description
    [sambalogontime] => Array
        (
            [count] => 1
            [0] => 0
        )

    [9] => sambalogontime
    [sambalogofftime] => Array
        (
            [count] => 1
            [0] => 2147483647
        )

    [10] => sambalogofftime
    [displayname] => Array
        (
            [count] => 1
            [0] => System User
        )

    [11] => displayname
    [sambalogonscript] => Array
        (
            [count] => 1
            [0] => startup.bat
        )

    [12] => sambalogonscript
    [sambaprofilepath] => Array
        (
            [count] => 1
            [0] => \\RHO2\profiles\brian
        )

    [13] => sambaprofilepath
    [sambahomepath] => Array
        (
            [count] => 1
            [0] => \\RHO2\homes\brian
        )

    [14] => sambahomepath
    [sambahomedrive] => Array
        (
            [count] => 1
            [0] => P:
        )

    [15] => sambahomedrive
    [sambalmpassword] => Array
        (
            [count] => 1
            [0] => 985CC3D8A9671FCDAAD3B435B51404EE
        )

    [16] => sambalmpassword
    [sambantpassword] => Array
        (
            [count] => 1
            [0] => F97C55B222D47D85D922EDC6C113585E
        )

    [17] => sambantpassword
    [sambapwdlastset] => Array
        (
            [count] => 1
            [0] => 1116514670
        )

    [18] => sambapwdlastset
    [userpassword] => Array
        (
            [count] => 1
            [0] => {SSHA}YwnYwZKpziq6NR42i9oOBApYzHVXTWM1
        )

    [19] => userpassword
    [givenname] => Array
        (
            [count] => 1
            [0] => Brian
        )

    [20] => givenname
    [sn] => Array
        (
            [count] => 1
            [0] => Chivers
        )

    [21] => sn
    [shadowexpire] => Array
        (
            [count] => 1
            [0] => 21915
        )

    [22] => shadowexpire
    [sambapwdcanchange] => Array
        (
            [count] => 1
            [0] => 1041379201
        )

    [23] => sambapwdcanchange
    [sambadomainname] => Array
        (
            [count] => 1
            [0] => TANGIER
        )

    [24] => sambadomainname
    [sambasid] => Array
        (
            [count] => 1
            [0] => S-1-5-21-3889783498-3206798075-3096547488-3026
        )

    [25] => sambasid
    [sambaprimarygroupsid] => Array
        (
            [count] => 1
            [0] => S-1-5-21-3889783498-3206798075-3096547488-512
        )

    [26] => sambaprimarygroupsid
    [sambaacctflags] => Array
        (
            [count] => 1
            [0] => [U          ]
        )

    [27] => sambaacctflags
    [mail] => Array
        (
            [count] => 1
            [0] => brian portsmouth-college ac uk
        )

    [28] => mail
    [sambakickofftime] => Array
        (
            [count] => 1
            [0] => 2147476447
        )

    [29] => sambakickofftime
    [sambapwdmustchange] => Array
        (
            [count] => 1
            [0] => 1337565435
        )

    [30] => sambapwdmustchange
    [count] => 31
    [dn] => uid=brian,ou=Users,dc=portsmouth-college,dc=ac,dc=uk
)


------------------------------------------------------------------------------------------------
   The views expressed here are my own and not necessarily

the views of Portsmouth College
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]