[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Help with php-ldap



Ben Dailey wrote:
On Thu, Oct 30, 2008 at 9:38 AM, Brian Chivers <brian portsmouth-college ac uk <mailto:brian portsmouth-college ac uk>> wrote:

    Ben Dailey wrote:

        On Thu, Oct 30, 2008 at 5:15 AM, Brian Chivers
        <brian portsmouth-college ac uk
        <mailto:brian portsmouth-college ac uk>> wrote:

            Ben Dailey wrote:

                On Wed, Oct 29, 2008 at 5:07 PM, Brian Chivers
                <brian portsmouth-college ac uk
                <mailto:brian portsmouth-college ac uk>> wrote:

                    Has anyone done anything with php-ldap ??

                    I'm trying to write a php script that will return
                    the users with there
                    gidNumber but what I have doesn't return the gidNumber.

                    I can post my script so far if it helps.

                    Thanks
                    Brian Chivers
                    Portsmouth College


                    ------------------------------------------------------------------------------------------------
                     The views expressed here are my own and not necessarily

                                the views of Portsmouth College

                Brian,

                I have written a authentication script which we use in
                house to do
                authentication. What kind of ldap directory are you
                trying to query?
                If you post your script and php version. I will do my
                best at giving a
                hand.

                Thanks,
                Ben Dailey
                Asst. Technology Director
                Bluffton-Harrison MSD

                _______________________________________________
                K12OSN mailing list
                K12OSN redhat com <mailto:K12OSN redhat com>
                https://www.redhat.com/mailman/listinfo/k12osn
                For more info see <http://www.k12os.org>

            Thanks for the offer :-)

            It's a openldap server & we're running php5

            The script I've got below is something I found on the web
            and it sort of
            works but doesn't show the gidNumber & I'd like to have this
            as I don't want
            students (gid=501) to be authenticated only staff (various gids)

            <?php
            // basic sequence with LDAP is connect, bind, search,
            interpret search
            // result, close connection
            $ldaphost = "alpha.portsmouth-college.ac.uk
            <http://alpha.portsmouth-college.ac.uk>";
            $username = "Manager";
            $binddn  = "cn=$username,dc=portsmouth-college,dc=ac,dc=uk";
                // ldap rdn
            or dn
            $bindpass = "special_password";  // associated password

            echo "<h3>LDAP query test</h3>";
            echo "Connecting ...";
            $ds=ldap_connect($ldaphost);  // must be a valid LDAP server!
            echo "connect result is " . $ds . "<br />";

            if ($ds) {
              echo "Binding ...";
              $r=ldap_bind($ds,$binddn,$bindpass);
              echo "Bind result is " . $r . "<br />";

              echo "Searching for (cn=*) ...";
              // Search surname entry
              $sr=ldap_search($ds,"dc=portsmouth-college,dc=ac,dc=uk",
            "cn=*");
              echo "Search result is " . $sr . "<br />";

              echo "Number of entires returned is " .
            ldap_count_entries($ds, $sr) .
            "<br />";

              echo "Getting entries ...<p>";
              $info = ldap_get_entries($ds, $sr);
              echo "Data for " . $info["count"] . " items returned:<p>";

              for ($i=0; $i<$info["count"]; $i++) {
                  echo "Loop count: " . $i . "<br />";

        Replace the following echoes with:
        echo "<pre>";
        print_r($info[$i]);
        echo "</pre>";

                   echo "gidNumber is: ". $info[$i]["gidNumber"]."<br />";
                  echo "dn is: " . $info[$i]["dn"] . "<br />";
                  echo "first cn entry is: " . $info[$i]["cn"][0] . "<br
            />";
                  echo "first mail entry is: " . $info[$i]["mail"][0] .
            "<br /> <hr
            />";

        End replacement of the echoes.

              }

              echo "Closing connection";
              ldap_close($ds);

            } else {
              echo "<h4>Unable to connect to LDAP server</h4>";
            }
            ?>

            This is a auth script that works but doesn't block students
            it's just a yes
            or no and I don't know enough about php YET to work out how
            to fail the
            authentication if the gidNumber is 501

            <?php

            $ldapconfig['host'] = 'alpha.portsmouth-college.ac.uk
            <http://alpha.portsmouth-college.ac.uk>';
            $ldapconfig['port'] = NULL;
            $ldapconfig['basedn'] = 'dc=portsmouth-college,dc=ac,dc=uk';
            $ldapconfig['authrealm'] = 'My Realm';

            function ldap_authenticate() {
              global $ldapconfig;
              global $PHP_AUTH_USER;
              global $PHP_AUTH_PW;

              if ($PHP_AUTH_USER != "" && $PHP_AUTH_PW != "") {
$ds= ldap_connect($ldapconfig['host'],$ldapconfig['port']);
                  $r = @ldap_search( $ds, $ldapconfig['basedn'], 'uid=' .
            $PHP_AUTH_USER);
                  if ($r) {
                      $result = @ldap_get_entries( $ds, $r);

        If you are getting the gidNumber returned in the above example
        the try
        replacing the follow if section:
        if ($result[0] && $result[0][gidNumber]!=501) {

                      if ($result[0]) {
                          if (@ldap_bind( $ds, $result[0]['dn'],
            $PHP_AUTH_PW) ) {
                              return $result[0];
                          }
                      }
                  }
              }
              header('WWW-Authenticate: Basic
            realm="'.$ldapconfig['authrealm'].'"');
              header('HTTP/1.0 401 Unauthorized');
              return NULL;
            }

            if (($result = ldap_authenticate()) == NULL) {
              echo('Authorization Failed');
              exit(0);
            }
            echo('Authorization success');
            echo('<br>');
            print_r($result);

            ?>


        Brian,

        Comments and some code changes included inline above. Let me
        know how
        that turns out for you.

        HTH,
        Ben

        _______________________________________________
        K12OSN mailing list
        K12OSN redhat com <mailto:K12OSN redhat com>
        https://www.redhat.com/mailman/listinfo/k12osn
        For more info see <http://www.k12os.org>


    OK altered the first script at per comments and this is ones of the
    result is below, it looks like it is retrieving the gidnumber etc
    but not sure how to alter script so it only shows cn, uidnumber &
    gidnumber. (bits I need for the rest of my magical script)

    I've had a bit of a think about how I'm going to do this, I'm think
    about putting the page that staff access behind a .htaccess that is
    setup so only staff get through as I have this working already but I
    still need to retrieve the uidnumber etc from ldap so I can enter it
    into a database so the line below won't be needed :-)


    if ($result[0] && $result[0][gidNumber]!=501) {

    but it didn't work :-(

    Results from first script :-

    Loop count: 4

    Array
    (
       [objectclass] => Array
           (
               [count] => 5
               [0] => top
               [1] => inetOrgPerson
               [2] => posixAccount
               [3] => shadowAccount
               [4] => sambaSamAccount
           )

       [0] => objectclass
       [cn] => Array
           (
               [count] => 1
               [0] => brian
           )

       [1] => cn
       [uid] => Array
           (
               [count] => 1
               [0] => brian
           )

       [2] => uid
       [uidnumber] => Array
           (
               [count] => 1
               [0] => 1013
           )

       [3] => uidnumber
       [gidnumber] => Array
           (
               [count] => 1
               [0] => 512
           )

       [4] => gidnumber
       [homedirectory] => Array
           (
               [count] => 1
               [0] => /home/brian
           )

       [5] => homedirectory
       [loginshell] => Array
           (
               [count] => 1
               [0] => /bin/bash
           )

       [6] => loginshell
       [gecos] => Array
           (
               [count] => 1
               [0] => System User
           )

       [7] => gecos
       [description] => Array
           (
               [count] => 1
               [0] => System User
           )

       [8] => description
       [sambalogontime] => Array
           (
               [count] => 1
               [0] => 0
           )

       [9] => sambalogontime
       [sambalogofftime] => Array
           (
               [count] => 1
               [0] => 2147483647
           )

       [10] => sambalogofftime
       [displayname] => Array
           (
               [count] => 1
               [0] => System User
           )

       [11] => displayname
       [sambalogonscript] => Array
           (
               [count] => 1
               [0] => startup.bat
           )

       [12] => sambalogonscript
       [sambaprofilepath] => Array
           (
               [count] => 1
               [0] => \\RHO2\profiles\brian
           )

       [13] => sambaprofilepath
       [sambahomepath] => Array
           (
               [count] => 1
               [0] => \\RHO2\homes\brian
           )

       [14] => sambahomepath
       [sambahomedrive] => Array
           (
               [count] => 1
               [0] => P:
           )

       [15] => sambahomedrive
       [sambalmpassword] => Array
           (
               [count] => 1
               [0] => 985CC3D8A9671FCDAAD3B435B51404EE
           )

       [16] => sambalmpassword
       [sambantpassword] => Array
           (
               [count] => 1
               [0] => F97C55B222D47D85D922EDC6C113585E
           )

       [17] => sambantpassword
       [sambapwdlastset] => Array
           (
               [count] => 1
               [0] => 1116514670
           )

       [18] => sambapwdlastset
       [userpassword] => Array
           (
               [count] => 1
               [0] => {SSHA}YwnYwZKpziq6NR42i9oOBApYzHVXTWM1
           )

       [19] => userpassword
       [givenname] => Array
           (
               [count] => 1
               [0] => Brian
           )

       [20] => givenname
       [sn] => Array
           (
               [count] => 1
               [0] => Chivers
           )

       [21] => sn
       [shadowexpire] => Array
           (
               [count] => 1
               [0] => 21915
           )

       [22] => shadowexpire
       [sambapwdcanchange] => Array
           (
               [count] => 1
               [0] => 1041379201
           )

       [23] => sambapwdcanchange
       [sambadomainname] => Array
           (
               [count] => 1
               [0] => TANGIER
           )

       [24] => sambadomainname
       [sambasid] => Array
           (
               [count] => 1
               [0] => S-1-5-21-3889783498-3206798075-3096547488-3026
           )

       [25] => sambasid
       [sambaprimarygroupsid] => Array
           (
               [count] => 1
               [0] => S-1-5-21-3889783498-3206798075-3096547488-512
           )

       [26] => sambaprimarygroupsid
       [sambaacctflags] => Array
           (
               [count] => 1
               [0] => [U          ]
           )

       [27] => sambaacctflags
       [mail] => Array
           (
               [count] => 1
               [0] => brian portsmouth-college ac uk
    <mailto:brian portsmouth-college ac uk>
           )

       [28] => mail
       [sambakickofftime] => Array
           (
               [count] => 1
               [0] => 2147476447
           )

       [29] => sambakickofftime
       [sambapwdmustchange] => Array
           (
               [count] => 1
               [0] => 1337565435
           )

       [30] => sambapwdmustchange
       [count] => 31
       [dn] => uid=brian,ou=Users,dc=portsmouth-college,dc=ac,dc=uk

    )


Brian,

It looks like the if will need to look like this:
$gid=$result[0][gidnumber][0];
echo $gid;
if ($result[0] && $gid!=501) {
$uidNumber=$result[0][uidnumber][0];
echo $uid;

Let me know if this works.
Ben


------------------------------------------------------------------------

_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>

:-)

That's got it, now on the the next steps :-)

Thanks gain for all the help
Brian

------------------------------------------------------------------------------------------------
   The views expressed here are my own and not necessarily

the views of Portsmouth College
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]