Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- } elseif (AUTH_TYPE == "ad_ldap") {
- # This "ad_ldap" section heavily modified by ipro-bgardner
- #
- # connect to the AD server & use LDAP v3
- #
- $ldapconnection = ldap_connect(AD_LDAP_SERVER, AD_LDAP_PORT);
- ldap_set_option($ldapconnection, LDAP_OPT_PROTOCOL_VERSION, 3);
- # generate debug message if connection failed
- #
- if (!$ldapconnection) {
- NConf_DEBUG::set("Unable to connect to server", 'DEBUG', 'AD_LDAP_SERVER');
- } else {
- NConf_DEBUG::set("Successful ldap_connect: ldap://".AD_LDAP_SERVER.":".AD_LDAP_PORT, 'DEBUG', 'AD_LDAP_SERVER');
- # Try to ldap_bind using user-supplied credentials
- #
- $user_pwd = $_POST["password"];
- $ldap_response = @ldap_bind($ldapconnection, AD_NTDOMAIN."\\".$user_loginname, $user_pwd);
- if($ldap_response and $user_loginname and $user_pwd) {
- NConf_DEBUG::set("success", 'DEBUG', 'ldap bind');
- # If ldap_bind was successfull then the user exists
- # and is not disabled.
- # In order to get the welcome name from AD we need to set up
- # an array of attributes to pull from AD
- #
- $attributes = array(AD_USERNAME_ATTRIBUTE);
- NConf_DEBUG::set($attributes, 'DEBUG', 'AD USERNAME ATTRIBUTE');
- # See if the user is a member of the admin group.
- #
- if (AD_ADMIN_GROUP != "") {
- $admin_group_dn = AD_ADMIN_GROUP;
- if (AD_GROUP_DN != "") {
- $admin_group_dn .= ','.AD_GROUP_DN;
- }
- NConf_DEBUG::set($admin_group_dn, 'DEBUG', 'admin group dn');
- # Set up the filter for the ldap_search.
- # We're looking for users that match the user-supplied username and
- # that are members of the admin group specified in AD_ADMIN_GROUP
- #
- $filter = "(&(objectCategory=person)(objectClass=user)";
- $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$admin_group_dn."))";
- NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');
- # Perform the search.
- #
- $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);
- # $userattrs_result will contain an array of search results.
- # There should only be one result.
- # If there's 0 results returned then the user is not a member of the group.
- # If more than one results returned then something unexpected happened and
- # we're going to treat it as an auth failure.
- #
- $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
- NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of admin group');
- if ($userattrs_result["count"] == 1) {
- # user has been identified as a member of the admin group
- $_SESSION['group'] = GROUP_ADMIN;
- NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted');
- }
- }
- # See if the user is a member of the non-admin group.
- # This is skipped if the user is a member of the admin group.
- # The same actions are taken in this section as above, so
- # comments are removed.
- #
- if ((AD_USER_GROUP != "") and ($_SESSION['group'] != GROUP_ADMIN)) {
- $user_group_dn = AD_USER_GROUP;
- if (AD_GROUP_DN != "") {
- $user_group_dn .= ','.AD_GROUP_DN;
- }
- NConf_DEBUG::set($user_group_dn, 'DEBUG', 'non-admin group dn');
- $filter = "(&(objectCategory=person)(objectClass=user)";
- $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$user_group_dn."))";
- NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');
- $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);
- $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
- NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of non-admin group');
- if ($userattrs_result["count"] == 1) {
- $_SESSION['group'] = GROUP_USER;
- NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted as non-admin');
- }
- }
- # if the user is not a member of either the admin or non-admin group then
- # we don't have to worry about trying to get the welcome message from AD
- #
- if (($_SESSION['group'] == GROUP_USER) or ($_SESSION['group'] == GROUP_ADMIN)) {
- # Set the welcome name
- #
- if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($userattrs_result[0][AD_USERNAME_ATTRIBUTE][0]) ) {
- $_SESSION["userinfos"]["username"] = $userattrs_result[0][AD_USERNAME_ATTRIBUTE][0];
- NConf_DEBUG::set('Got welcome name from AD', 'INFO', 'set welcome name');
- } else {
- $_SESSION["userinfos"]['username'] = $user_loginname;
- NConf_DEBUG::set('Got welcome name from user_loginname', 'INFO', 'set welcome name');
- }
- } else {
- # Also, if the user is not a member of either group then we will note
- # the condition in debug info
- NConf_DEBUG::set(TXT_LOGIN_NOT_AUTHORIZED, 'ERROR');
- }
- } else {
- # ldap_bind failed
- NConf_DEBUG::set("fail", 'DEBUG', 'ldap bind');
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement