www.hkvforums.com


https://www.hkvforums.com/

Authenticate to Active Directory Groups

https://www.hkvforums.com/viewtopic.php?t=39799

Page 1 of 1

Authenticate to Active Directory Groups

Posted: Thu Dec 29, 2016 10:07 pm
by TomF

Hello, a very useful feature to have for a business or enterprise environment is a way to authenticate against Active Directory groups. This can be especially useful in creating corporate Intranets.

For example, let's say you have the following Active Directory security groups:

Human Resources
Finance
Marketing

In building a PHPMaker site for an Intranet, if we could tie authentication to Active Directory groups, we could create an area where Human Resources users can authenticate for purposes of adding records and documents to the "HR" section of the Intranet while Finance and Marketing users get only View access. Likewise, users in Finance can have their own areas and databases for adding and modifying information they need while other groups can have View access or no access at all. Maintaining permissions via Active Directory simplifies so much for the developer, end users (no more need to remember multiple user names and passwords) and system administrators.

I want to tie authentication within PHPMaker to Active Directory GROUPS. If this awesome feature were available, I could easily apply permissions to the site base on groups, not the entire set of active directory users. Using your suggestion, all users in AD are authenticated.

Thanks!

Re: Authenticate to Active Directory Groups

Posted: Fri Feb 03, 2017 2:38 am
by tom_f

How to grant access by polling the "memberof" attribute of all users in Active Directory? If a user has a specific memberof attribute, access can be granted or blocked.

e.g. authenticate.php

<?php
// Initialize session
session_start();

function authenticate($user, $password) {
if(empty($user) || empty($password)) return false;

// Active Directory server
$ldap_host = "server.college.school.edu";

// Active Directory DN
$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";

// Active Directory user group
$ldap_user_group = "WebUsers";

// Active Directory manager group
$ldap_manager_group = "WebManagers";

// Domain, for purposes of constructing $user
$ldap_usr_dom = '@college.school.edu';

// connect to active directory
$ldap = ldap_connect($ldap_host);

// verify user and password
if($bind = @ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);

// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if(strpos($grps, $ldap_manager_group)) { $access = 2; break; }

// is user
if(strpos($grps, $ldap_user_group)) $access = 1;
}

if($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}

} else {
// invalid name or password
return false;
}
}

Re: Authenticate to Active Directory Groups

Posted: Wed Sep 18, 2024 9:38 pm
by FedeLopez

What I did was,
add a text field adgroup to group table... then store info from memberof
then in Ldap_validated server events:

	function getADMemberof($inputString) {
		$sql = "SELECT adgroup, id_area FROM sys_area";
		$stmt = ExecuteQuery($sql);
		$stringValues = array();
		if ($stmt->rowCount() > 0) { // check condition: if record count is greater than 0
			while ($row = $stmt->fetch()) { // loop
			   $stringValues[$row["adgroup"]] = intval($row["id_area"]);
			}
		}
		if (array_key_exists($inputString, $stringValues)) {
			$area = $stringValues[$inputString];
			return $area;
		} else {
			return 0; 
		}
	}

	$ldap_conn = $this->Conn;
	$search_base = "OU=Departments,DC=college,DC=school,DC=edu"; // Your LDAP Directory
	$search_filter = "(sAMAccountName=" . $usr . ")";
	$search_attributes = array("givenName", "sn", "mail", "employeeID", "memberof");
	$search_result = ldap_search($ldap_conn, $search_base, $search_filter, $search_attributes);
	if ($search_result) {
		$entries = ldap_get_entries($ldap_conn, $search_result);
		for ($i = 0; $i < $entries["count"]; $i++) {
			$name= $entries[$i]["givenname"][0];
			$lastname= $entries[$i]["sn"][0];
			$cuit = $entries[$i]["employeeid"][0];
			$correo = $entries[$i]["mail"][0];
			$delimiter = ",";
			/*
			$cns = [];
			foreach ($entries[$i]["memberof"] as $item) {
				$parts = explode($delimiter, $item);
				if (!empty($parts)) {
					$cns[] = $parts[0];
				}
			}
			$cn = implode(", ", array_slice($cns,1));
			$group= str_replace("CN=","",$cns[1]);
			$area_id = getADMemberof($group);
			$grupos = str_replace("CN=","",$cn);
			*/
			$group_id = "0";
			$user= $name. ' ' . $lastname;
		}
	}

		ExecuteUpdate("INSERT INTO `webuser` (
		`user`,
		`name`,
		`password`,		
		`userlevel_ID`
		) VALUES (
		'".$usr."',
		'".$user."' ,
		'".md5($pwd)."',
		'".$group_id."'
		)");

so, basicaly, you can assign userlevel_ID according to memberof (AD Groups)... but you still need to create the groups table in the database.

All times are UTC+08:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited