[K12OSN] Help with php-ldap
Ben Dailey
ben at inspiredtechs.com
Thu Oct 30 14:26:25 UTC 2008
On Thu, Oct 30, 2008 at 9:38 AM, Brian Chivers <
brian at portsmouth-college.ac.uk> wrote:
> Ben Dailey wrote:
>
>> On Thu, Oct 30, 2008 at 5:15 AM, Brian Chivers
>> <brian at portsmouth-college.ac.uk> wrote:
>>
>>> Ben Dailey wrote:
>>>
>>>> On Wed, Oct 29, 2008 at 5:07 PM, Brian Chivers
>>>> <brian at portsmouth-college.ac.uk> wrote:
>>>>
>>>>> Has anyone done anything with php-ldap ??
>>>>>
>>>>> I'm trying to write a php script that will return the users with there
>>>>> gidNumber but what I have doesn't return the gidNumber.
>>>>>
>>>>> I can post my script so far if it helps.
>>>>>
>>>>> Thanks
>>>>> Brian Chivers
>>>>> Portsmouth College
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------------------------
>>>>> The views expressed here are my own and not necessarily
>>>>>
>>>>> the views of Portsmouth College
>>>>>
>>>> Brian,
>>>>
>>>> I have written a authentication script which we use in house to do
>>>> authentication. What kind of ldap directory are you trying to query?
>>>> If you post your script and php version. I will do my best at giving a
>>>> hand.
>>>>
>>>> Thanks,
>>>> Ben Dailey
>>>> Asst. Technology Director
>>>> Bluffton-Harrison MSD
>>>>
>>>> _______________________________________________
>>>> K12OSN mailing list
>>>> K12OSN at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/k12osn
>>>> For more info see <http://www.k12os.org>
>>>>
>>> Thanks for the offer :-)
>>>
>>> It's a openldap server & we're running php5
>>>
>>> The script I've got below is something I found on the web and it sort of
>>> works but doesn't show the gidNumber & I'd like to have this as I don't
>>> want
>>> students (gid=501) to be authenticated only staff (various gids)
>>>
>>> <?php
>>> // basic sequence with LDAP is connect, bind, search, interpret search
>>> // result, close connection
>>> $ldaphost = "alpha.portsmouth-college.ac.uk";
>>> $username = "Manager";
>>> $binddn = "cn=$username,dc=portsmouth-college,dc=ac,dc=uk"; // ldap
>>> rdn
>>> or dn
>>> $bindpass = "special_password"; // associated password
>>>
>>> echo "<h3>LDAP query test</h3>";
>>> echo "Connecting ...";
>>> $ds=ldap_connect($ldaphost); // must be a valid LDAP server!
>>> echo "connect result is " . $ds . "<br />";
>>>
>>> if ($ds) {
>>> echo "Binding ...";
>>> $r=ldap_bind($ds,$binddn,$bindpass);
>>> echo "Bind result is " . $r . "<br />";
>>>
>>> echo "Searching for (cn=*) ...";
>>> // Search surname entry
>>> $sr=ldap_search($ds,"dc=portsmouth-college,dc=ac,dc=uk", "cn=*");
>>> echo "Search result is " . $sr . "<br />";
>>>
>>> echo "Number of entires returned is " . ldap_count_entries($ds, $sr) .
>>> "<br />";
>>>
>>> echo "Getting entries ...<p>";
>>> $info = ldap_get_entries($ds, $sr);
>>> echo "Data for " . $info["count"] . " items returned:<p>";
>>>
>>> for ($i=0; $i<$info["count"]; $i++) {
>>> echo "Loop count: " . $i . "<br />";
>>>
>> Replace the following echoes with:
>> echo "<pre>";
>> print_r($info[$i]);
>> echo "</pre>";
>>
>>> echo "gidNumber is: ". $info[$i]["gidNumber"]."<br />";
>>> echo "dn is: " . $info[$i]["dn"] . "<br />";
>>> echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
>>> echo "first mail entry is: " . $info[$i]["mail"][0] . "<br /> <hr
>>> />";
>>>
>> End replacement of the echoes.
>>
>>> }
>>>
>>> echo "Closing connection";
>>> ldap_close($ds);
>>>
>>> } else {
>>> echo "<h4>Unable to connect to LDAP server</h4>";
>>> }
>>> ?>
>>>
>>> This is a auth script that works but doesn't block students it's just a
>>> yes
>>> or no and I don't know enough about php YET to work out how to fail the
>>> authentication if the gidNumber is 501
>>>
>>> <?php
>>>
>>> $ldapconfig['host'] = 'alpha.portsmouth-college.ac.uk';
>>> $ldapconfig['port'] = NULL;
>>> $ldapconfig['basedn'] = 'dc=portsmouth-college,dc=ac,dc=uk';
>>> $ldapconfig['authrealm'] = 'My Realm';
>>>
>>> function ldap_authenticate() {
>>> global $ldapconfig;
>>> global $PHP_AUTH_USER;
>>> global $PHP_AUTH_PW;
>>>
>>> if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
>>> $ds=@ldap_connect($ldapconfig['host'],$ldapconfig['port']);
>>> $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' .
>>> $PHP_AUTH_USER);
>>> if ($r) {
>>> $result = @ldap_get_entries( $ds, $r);
>>>
>> If you are getting the gidNumber returned in the above example the try
>> replacing the follow if section:
>> if ($result[0] && $result[0][gidNumber]!=501) {
>>
>>> if ($result[0]) {
>>> if (@ldap_bind( $ds, $result[0]['dn'], $PHP_AUTH_PW) ) {
>>> return $result[0];
>>> }
>>> }
>>> }
>>> }
>>> header('WWW-Authenticate: Basic realm="'.$ldapconfig['authrealm'].'"');
>>> header('HTTP/1.0 401 Unauthorized');
>>> return NULL;
>>> }
>>>
>>> if (($result = ldap_authenticate()) == NULL) {
>>> echo('Authorization Failed');
>>> exit(0);
>>> }
>>> echo('Authorization success');
>>> echo('<br>');
>>> print_r($result);
>>>
>>> ?>
>>>
>>
>> Brian,
>>
>> Comments and some code changes included inline above. Let me know how
>> that turns out for you.
>>
>> HTH,
>> Ben
>>
>> _______________________________________________
>> K12OSN mailing list
>> K12OSN at redhat.com
>> https://www.redhat.com/mailman/listinfo/k12osn
>> For more info see <http://www.k12os.org>
>>
>
> OK altered the first script at per comments and this is ones of the result
> is below, it looks like it is retrieving the gidnumber etc but not sure how
> to alter script so it only shows cn, uidnumber & gidnumber. (bits I need for
> the rest of my magical script)
>
> I've had a bit of a think about how I'm going to do this, I'm think about
> putting the page that staff access behind a .htaccess that is setup so only
> staff get through as I have this working already but I still need to
> retrieve the uidnumber etc from ldap so I can enter it into a database so
> the line below won't be needed :-)
>
> if ($result[0] && $result[0][gidNumber]!=501) {
>
> but it didn't work :-(
>
> Results from first script :-
>
> Loop count: 4
>
> Array
> (
> [objectclass] => Array
> (
> [count] => 5
> [0] => top
> [1] => inetOrgPerson
> [2] => posixAccount
> [3] => shadowAccount
> [4] => sambaSamAccount
> )
>
> [0] => objectclass
> [cn] => Array
> (
> [count] => 1
> [0] => brian
> )
>
> [1] => cn
> [uid] => Array
> (
> [count] => 1
> [0] => brian
> )
>
> [2] => uid
> [uidnumber] => Array
> (
> [count] => 1
> [0] => 1013
> )
>
> [3] => uidnumber
> [gidnumber] => Array
> (
> [count] => 1
> [0] => 512
> )
>
> [4] => gidnumber
> [homedirectory] => Array
> (
> [count] => 1
> [0] => /home/brian
> )
>
> [5] => homedirectory
> [loginshell] => Array
> (
> [count] => 1
> [0] => /bin/bash
> )
>
> [6] => loginshell
> [gecos] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [7] => gecos
> [description] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [8] => description
> [sambalogontime] => Array
> (
> [count] => 1
> [0] => 0
> )
>
> [9] => sambalogontime
> [sambalogofftime] => Array
> (
> [count] => 1
> [0] => 2147483647
> )
>
> [10] => sambalogofftime
> [displayname] => Array
> (
> [count] => 1
> [0] => System User
> )
>
> [11] => displayname
> [sambalogonscript] => Array
> (
> [count] => 1
> [0] => startup.bat
> )
>
> [12] => sambalogonscript
> [sambaprofilepath] => Array
> (
> [count] => 1
> [0] => \\RHO2\profiles\brian
> )
>
> [13] => sambaprofilepath
> [sambahomepath] => Array
> (
> [count] => 1
> [0] => \\RHO2\homes\brian
> )
>
> [14] => sambahomepath
> [sambahomedrive] => Array
> (
> [count] => 1
> [0] => P:
> )
>
> [15] => sambahomedrive
> [sambalmpassword] => Array
> (
> [count] => 1
> [0] => 985CC3D8A9671FCDAAD3B435B51404EE
> )
>
> [16] => sambalmpassword
> [sambantpassword] => Array
> (
> [count] => 1
> [0] => F97C55B222D47D85D922EDC6C113585E
> )
>
> [17] => sambantpassword
> [sambapwdlastset] => Array
> (
> [count] => 1
> [0] => 1116514670
> )
>
> [18] => sambapwdlastset
> [userpassword] => Array
> (
> [count] => 1
> [0] => {SSHA}YwnYwZKpziq6NR42i9oOBApYzHVXTWM1
> )
>
> [19] => userpassword
> [givenname] => Array
> (
> [count] => 1
> [0] => Brian
> )
>
> [20] => givenname
> [sn] => Array
> (
> [count] => 1
> [0] => Chivers
> )
>
> [21] => sn
> [shadowexpire] => Array
> (
> [count] => 1
> [0] => 21915
> )
>
> [22] => shadowexpire
> [sambapwdcanchange] => Array
> (
> [count] => 1
> [0] => 1041379201
> )
>
> [23] => sambapwdcanchange
> [sambadomainname] => Array
> (
> [count] => 1
> [0] => TANGIER
> )
>
> [24] => sambadomainname
> [sambasid] => Array
> (
> [count] => 1
> [0] => S-1-5-21-3889783498-3206798075-3096547488-3026
> )
>
> [25] => sambasid
> [sambaprimarygroupsid] => Array
> (
> [count] => 1
> [0] => S-1-5-21-3889783498-3206798075-3096547488-512
> )
>
> [26] => sambaprimarygroupsid
> [sambaacctflags] => Array
> (
> [count] => 1
> [0] => [U ]
> )
>
> [27] => sambaacctflags
> [mail] => Array
> (
> [count] => 1
> [0] => brian at portsmouth-college.ac.uk
> )
>
> [28] => mail
> [sambakickofftime] => Array
> (
> [count] => 1
> [0] => 2147476447
> )
>
> [29] => sambakickofftime
> [sambapwdmustchange] => Array
> (
> [count] => 1
> [0] => 1337565435
> )
>
> [30] => sambapwdmustchange
> [count] => 31
> [dn] => uid=brian,ou=Users,dc=portsmouth-college,dc=ac,dc=uk
> )
>
Brian,
It looks like the if will need to look like this:
$gid=$result[0][gidnumber][0];
echo $gid;
if ($result[0] && $gid!=501) {
$uidNumber=$result[0][uidnumber][0];
echo $uid;
Let me know if this works.
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20081030/ee32ad12/attachment.htm>
More information about the K12OSN
mailing list