NConf Active Directory Authentication

} elseif (AUTH_TYPE == "ad_ldap") {

    # This "ad_ldap" section heavily modified by ipro-bgardner
    #

    # connect to the AD server & use LDAP v3
    #
    $ldapconnection = ldap_connect(AD_LDAP_SERVER, AD_LDAP_PORT);

    ldap_set_option($ldapconnection, LDAP_OPT_PROTOCOL_VERSION, 3);


    # generate debug message if connection failed
    #
    if (!$ldapconnection) {

        NConf_DEBUG::set("Unable to connect to server", 'DEBUG', 'AD_LDAP_SERVER');

    } else {

        NConf_DEBUG::set("Successful ldap_connect: ldap://".AD_LDAP_SERVER.":".AD_LDAP_PORT, 'DEBUG', 'AD_LDAP_SERVER');


        # Try to ldap_bind using user-supplied credentials
        #
        $user_pwd = $_POST["password"];

        $ldap_response = @ldap_bind($ldapconnection, AD_NTDOMAIN."\\".$user_loginname, $user_pwd);


        if($ldap_response and $user_loginname and $user_pwd) {

            NConf_DEBUG::set("success", 'DEBUG', 'ldap bind');

            # If ldap_bind was successfull then the user exists
            # and is not disabled.


            # In order to get the welcome name from AD we need to set up
            # an array of attributes to pull from AD
            #
            $attributes = array(AD_USERNAME_ATTRIBUTE);
            NConf_DEBUG::set($attributes, 'DEBUG', 'AD USERNAME ATTRIBUTE');


            # See if the user is a member of the admin group.
            #
            if (AD_ADMIN_GROUP != "") {

                $admin_group_dn = AD_ADMIN_GROUP;

                if (AD_GROUP_DN != "") {
                    $admin_group_dn .= ','.AD_GROUP_DN;
                }

                NConf_DEBUG::set($admin_group_dn, 'DEBUG', 'admin group dn');


                # Set up the filter for the ldap_search.
                # We're looking for users that match the user-supplied username and
                # that are members of the admin group specified in AD_ADMIN_GROUP
                #
                $filter  = "(&(objectCategory=person)(objectClass=user)";
                $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$admin_group_dn."))";
                NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');


                # Perform the search.
                #
                $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);


                # $userattrs_result will contain an array of search results.
                # There should only be one result.
                # If there's 0 results returned then the user is not a member of the group.
                # If more than one results returned then something unexpected happened and
                # we're going to treat it as an auth failure.
                #
                $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
                NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of admin group');

                if ($userattrs_result["count"] == 1) {
                    # user has been identified as a member of the admin group
                    $_SESSION['group'] = GROUP_ADMIN;
                    NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted');

                }

            }


            # See if the user is a member of the non-admin group.
            # This is skipped if the user is a member of the admin group.
            # The same actions are taken in this section as above, so
            # comments are removed.
            #
            if ((AD_USER_GROUP != "") and ($_SESSION['group'] != GROUP_ADMIN)) {

                $user_group_dn = AD_USER_GROUP;

                if (AD_GROUP_DN != "") {
                    $user_group_dn .= ','.AD_GROUP_DN;
                }

                NConf_DEBUG::set($user_group_dn, 'DEBUG', 'non-admin group dn');


                $filter  = "(&(objectCategory=person)(objectClass=user)";
                $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$user_group_dn."))";
                NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');


                $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);

                $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
                NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of non-admin group');

                if ($userattrs_result["count"] == 1) {
                    $_SESSION['group'] = GROUP_USER;
                    NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted as non-admin');
                }

            }


            # if the user is not a member of either the admin or non-admin group then
            # we don't have to worry about trying to get the welcome message from AD
            #
            if (($_SESSION['group'] == GROUP_USER) or ($_SESSION['group'] == GROUP_ADMIN)) {

                # Set the welcome name
                #
                if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($userattrs_result[0][AD_USERNAME_ATTRIBUTE][0]) ) {
                    $_SESSION["userinfos"]["username"]  = $userattrs_result[0][AD_USERNAME_ATTRIBUTE][0];
                    NConf_DEBUG::set('Got welcome name from AD', 'INFO', 'set welcome name');

                } else {

                    $_SESSION["userinfos"]['username']  = $user_loginname;
                    NConf_DEBUG::set('Got welcome name from user_loginname', 'INFO', 'set welcome name');

                }

            } else {

                # Also, if the user is not a member of either group then we will note
                # the condition in debug info
                NConf_DEBUG::set(TXT_LOGIN_NOT_AUTHORIZED, 'ERROR');

            }


        } else {

            # ldap_bind failed
            NConf_DEBUG::set("fail", 'DEBUG', 'ldap bind');

        }

    }