simple-LDAP-auth
<?php
/**
* simple class for LDAP authentification
*
Copyright (C) 2013 Petr Palas This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
* inspired by http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/
*/ namespace LDAP; use Exception; class auth {
/**
* url or ip of ldap server
* @var type string
*/
protected $ldap_host;
/**
* active directory DN
* @var type string
*/
protected $ldap_dn;
/**
* target user group
* @var type string
*/
protected $ldap_user_group;
/**
* manager group (shud contain users with management access)
* @var type string
*/
protected $ldap_manager_group;
/**
* contains email domain like "@somedomain.com"
* @var type string
*/
protected $ldap_usr_dom; /**
* countains connection resource
* @var type resource
*/
protected $ldap; /**
* contains status text
* if exeption is thrown msg contains this string
* @var type string
*/
public $status;
/**
* contains result array if ldap_search is succesfull
* @var type array
*/
public $result;
/**
* contains auth state 0=unathrized 1=authorized
* @var type int
*/
public $auth=0;
/**
* contains access level 0=none or unathorized 1=user 2=managment acc
* @var type int
*/
public $access=0; /**
* contains username after user init
* @var type string
*/
public $user; /**
* contain user password after user init
* @var type string
*/
protected $password; /**
* Exeptions code constants
*/
const ERROR_WRONG_USER_GROUP=2;
const ERROR_CANT_AUTH=1;
const ERROR_CANT_SEARCH=3;
const ERROR_IMG_DECODE=4;
const ERROR_CANT_CONNECT=5; /**
* loads passed configuration in case of the ldap_usr_dom it makes sure that this strings begins with '@'
* @param type $ldap_host
* @param type $ldap_dn
* @param type $ldap_user_group
* @param type $ldap_manager_group
* @param type $ldap_usr_dom
*/
function __construct($ldap_host,$ldap_dn,$ldap_user_group,$ldap_manager_group,$ldap_usr_dom) {
$this->ldap_host=$ldap_host;
$this->ldap_dn=$ldap_dn;
$this->ldap_user_group=$ldap_user_group;
$this->ldap_manager_group=$ldap_manager_group;
$this->ldap_usr_dom= '@'.trim($ldap_usr_dom,'@');
} /**
* well destructor :P
* just in case there is opened connection to LDAP while destructing this class
*/
public function __destruct() {
@ldap_unbind($this->ldap);
} /**
* dumps result array for debug enclosed in pre tag
* Wont terminate script!
*/
public function dump_resut() {
echo '<pre>';
print_r($this->result,FALSE);
echo '</pre>';
} /**
* Inits connection to LDAP server throws exeption on failure
* @return boolean
* @throws Exception
*/
protected function init_connection(){
$this->ldap=ldap_connect($this->ldap_host,3268);
if($this->ldap){
$this->status='connected :)';
ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($this->ldap, LDAP_OPT_REFERRALS,0);
}
else {
//TODO: PHP actualy dont check if there is LDAP present on the other end nor it will fail if target host is unreachable. So I need some work around that :(
$this->status='Cant connect to LDAP';
throw new Exception($this->status, self::ERROR_CANT_CONNECT);
}
return TRUE;
} public function userInit($user,$password) {
$this->user=$user;
$this->password=$password; return TRUE;
} /**
* Converts Binary string (like thumbnail from LDAP to base64 datastring for display
* @param type $file
* @param type $mime
* @return type base64 datastring
*/
protected function data_uri($file, $mime) {
$base64 = base64_encode($file);
return ('data:' . $mime . ';base64,' . $base64);
} /**
* Gets LDAP thumbnail img
* @param type $user
* @param type $password
* @param type $raw if TRUE method will return raw binary string instead of base64 encoded with mime
* @return type base64 datatring of the thumbnail
* @throws Exception
*/
public function getLDAPimg($user=null,$password=null,$raw=FALSE) {
$this->refreshCredentials($user, $password);
//since conection is one off we need to get it
$this->init_connection(); $bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password);//ldap_bind($this->ldap, $this->ldap_dn, $password); if($bind){
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("thumbnailphoto");
$result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);
if($result==FALSE){
throw new Exception("Unable to search LDAP server. Reason: ". ldap_error($this->ldap), self::ERROR_CANT_SEARCH);
}
$entry= ldap_first_entry($this->ldap, $result); if ($entry) {
$info = @ldap_get_values_len($this->ldap, $entry, "thumbnailphoto");
if(!$info){
throw new Exception("Unable to decode thumbnail. Error: ". ldap_error($this->ldap), self::ERROR_IMG_DECODE);
}
//echo '<img src="'.$this->data_uri($info[0], 'image/png').'">';
} if(!$raw){
return $this->data_uri($info[0], 'image/png');
}
else{
return $info[0];
}
}
else {
// invalid name or password
$this->status='Cant authenticate for search on LDAP';
throw new Exception($this->status.' '. ldap_error($this->ldap), self::ERROR_CANT_AUTH);
}
ldap_unbind($this->ldap);
} /**
* Tries to authenticate suplied user with suplied pass
* @param type $user
* @param type $password
* @return boolean
* @throws Exception
*/
public function authenticate($user=null, $password=null) {
$this->refreshCredentials($user, $password);
//since conection is one off we need to get it
$this->init_connection(); // verify user and password
$bind = @ldap_bind($this->ldap, $user . $this->ldap_usr_dom, $password); if($bind) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof");
$result = @ldap_search($this->ldap, $this->ldap_dn, $filter, $attr);
if($result==FALSE){
throw new Exception("Unable to search LDAP server. Reason: ". ldap_error($this->ldap), self::ERROR_CANT_SEARCH);
}
$entries = ldap_get_entries($this->ldap, $result); //save result for future use
$this->result=$entries; $access = 0; // check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $this->ldap_manager_group)) { $access = 2; break; } // is user
if (strpos($grps, $this->ldap_user_group)) $access = 1;
} if ($access != 0) {
// establish result vars $this->status='Authenticated';
$this->access=$access;
$this->user= $user;
$this->auth=1;
return true;
} else {
// user has no rights
$this->access=$access;
$this->user= $user;
$this->auth=1;
$this->status='User exists but not part of the target group';
throw new Exception($this->status.' '. ldap_error($this->ldap), self::ERROR_WRONG_USER_GROUP);
} } else {
// invalid name or password
$this->status='Cant authenticate for search on LDAP';
throw new Exception($this->status.' '. ldap_error($this->ldap), self::ERROR_CANT_AUTH);
}
ldap_unbind($this->ldap);
} /**
* Saves new credentials if we got new or sets the old ones into referenced vars
* @param type $user Reference to var that shuld contain username or null
* @param type $password Reference to var that shuld contain password or null
*/
private function refreshCredentials(&$user,&$password) {
$newCredentials=TRUE;
//since we cant set those in param def
if($password===null){$password= $this->password;$newCredentials=FALSE;}
if($user===null){$user= $this->user;$newCredentials=FALSE;}
//store user pass and name for future use
if($newCredentials){$this->userInit($user, $password);}
} }
simple-LDAP-auth的更多相关文章
- opennebula extend(expending) auth module ldap
LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively cent ...
- LDAP Authentication for openNebula3.2
LDAP Authentication 3.2 The LDAP Authentication addon permits users to have the same credentials as ...
- 《Linux菜鸟入门2》Ldap
ldap网络帐号1.ldap是什么ldap目录服务认证,和windows活动目录类似,就是记录数据的一种方式 2.ldap客户端所需软件yum install sssd krb-workstation ...
- ldap集成grafana
grafana版本: 5.0.3 grafana通过k8s方式安装,所以需将配置文件挂载过去. cat grafana-configmap.yaml apiVersion: v1 kind: Conf ...
- LDAP落地实战(二):SVN集成OpenLDAP认证
上一篇文章我们介绍了LDAP的部署以及管理维护,那么如何接入LDAP实现账号统一认证呢?这篇文章将带你完成svn的接入验证 subversion集成OpenLDAP认证 系统环境:debian8.4 ...
- Mantis集成 LDAP 认证
mantis的用户认证函数Authentication中相关有 $g_login_method MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some ...
- LDAP方式连接AD获取用户信息
LDAP资料介绍可以参考:http://wenku.baidu.com/view/262742f9f705cc17552709f9.html ldap访问AD域的的错误一般会如下格式: Ldap lo ...
- python实现ldap接入
需要提前安装python-ldap模块 python接入ldap其实分了几个步骤: 1.使用一个管理员账户登陆到ldap 2.使用一个字段值是唯一的字段,去搜索到要验证用户的DN值(ldap搜索到的单 ...
- JAVA中使用LDAP登录的三种方式
搜索中关于java 登录ldap,大部分会采用 cn=xxx,ou=xxx,dc=xxx的方式,此处的cn是用户的Display Name,而不是account,而且如果ou有多层,比如我们的OU就 ...
- linux 利用LDAP身份集中认证
碰巧所在的公司用到了ldap 集中身份认证,所有打算研究下这套架构,但是看遍了网络上的很多教程,要么不完整,要么就是照着根本弄不出来,十月一研究了三天,结合八方资源终于弄出来了,真是不容易,哎,特此记 ...
随机推荐
- 【ASP.NET 插件】zyUpload的HTML5上传插件
个人能力有限,只能网上找图片批量上传插件,看到一个还不错的插件zyUpload ,可以用来上传文件,但没有.NET 版本,特修改了下用以批量上传图片,效果图如下: update:2016年3月8日 有 ...
- jquery/js实现验证聚焦,失焦
jquery实现验证聚焦,失焦方法: 我还是喜欢用jquery来实现,不管页面中多少个输入框需要实现聚焦,失焦,都公有,我常用的方法是: 遍历该页面中的input框,获取输入框中的val值,当该输入框 ...
- HDU 5047 推公式+别样输出
题意:给n个‘M'形,问最多能把平面分成多少区域 解法:推公式 : f(n) = 4n(4n+1)/2 - 9n + 1 = (8n+1)(n-1)+2 前面部分有可能超long long,所以要转化 ...
- SPOJ AMR12A The Black Riders --二分+二分图最大匹配
题意:有n个人,m个洞.每个洞能容纳一个人,每个人到每个洞需要花费一些时间.每个人到达一个洞后可以花C的时间来挖一个洞,并且最多挖一个洞,这样又能多容纳一人.求能使至少K个人进洞的最短时间. 解法:看 ...
- 第22章 DLL注入和API拦截(2)
22.4 使用远程线程来注入DLL 22.4.1 概述 (1)远程线程注入是指一个进程在另一个进程中创建线程,然后载入我们编写的DLL,并执行该DLL代码的技术.其基本思路是通过CreateRemot ...
- EZ GUI Button和Checkbox创建
第一次接触EZ GUI,记录学习过程 准备工作 导入资源 导入 EZ GUI 1.0795.unitypackage 和 SpriteManager2 v1.92.unitypackage EZGUI ...
- Jenkins学习一:Jenkins是什么?
文章转载:http://www.cnblogs.com/zz0412/tag/jenkins/default.html?page=1 第一章 Jenkins是什么? Jenkins 是一个可扩展的持续 ...
- 报错"the geometry has no Z values"处理
); //将Z值设置为0 //IPoint point = (IPoint)pGeo; //point.Z = 0; } else { IZAwa ...
- “PMS-基础权限管理系统”实施某谱OA系统经验总结
“PMS-基础权限管理系统”介绍 "PMS-基础权限管理系统"是我一直想做的一个产品,融合多年开发及维护管理系统的经验,参考了很多系统,精心研制而成. 可以做为毕业设计参考,新手学 ...
- Runtime类及其常用方法
每个 Java 应用程序都有一个 Runtime 类实例,使应用程序能够与其运行的环境相连接.可以通过 getRuntime 方法获取当前运行时. 常用方法: 1.public static Runt ...