daily pastebin goal
82%
SHARE
TWEET

NConf Active Directory Authentication

a guest Aug 21st, 2012 170 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. } elseif (AUTH_TYPE == "ad_ldap") {
  2.  
  3.     # This "ad_ldap" section heavily modified by ipro-bgardner
  4.    #
  5.  
  6.     # connect to the AD server & use LDAP v3
  7.    #
  8.    $ldapconnection = ldap_connect(AD_LDAP_SERVER, AD_LDAP_PORT);
  9.  
  10.     ldap_set_option($ldapconnection, LDAP_OPT_PROTOCOL_VERSION, 3);
  11.  
  12.  
  13.     # generate debug message if connection failed
  14.    #
  15.    if (!$ldapconnection) {
  16.  
  17.         NConf_DEBUG::set("Unable to connect to server", 'DEBUG', 'AD_LDAP_SERVER');
  18.  
  19.     } else {
  20.  
  21.         NConf_DEBUG::set("Successful ldap_connect: ldap://".AD_LDAP_SERVER.":".AD_LDAP_PORT, 'DEBUG', 'AD_LDAP_SERVER');
  22.  
  23.  
  24.         # Try to ldap_bind using user-supplied credentials
  25.        #
  26.        $user_pwd = $_POST["password"];
  27.  
  28.         $ldap_response = @ldap_bind($ldapconnection, AD_NTDOMAIN."\\".$user_loginname, $user_pwd);
  29.  
  30.  
  31.         if($ldap_response and $user_loginname and $user_pwd) {
  32.  
  33.             NConf_DEBUG::set("success", 'DEBUG', 'ldap bind');
  34.  
  35.             # If ldap_bind was successfull then the user exists
  36.            # and is not disabled.
  37.  
  38.  
  39.             # In order to get the welcome name from AD we need to set up
  40.            # an array of attributes to pull from AD
  41.            #
  42.            $attributes = array(AD_USERNAME_ATTRIBUTE);
  43.             NConf_DEBUG::set($attributes, 'DEBUG', 'AD USERNAME ATTRIBUTE');
  44.  
  45.  
  46.             # See if the user is a member of the admin group.
  47.            #
  48.            if (AD_ADMIN_GROUP != "") {
  49.  
  50.                 $admin_group_dn = AD_ADMIN_GROUP;
  51.  
  52.                 if (AD_GROUP_DN != "") {
  53.                     $admin_group_dn .= ','.AD_GROUP_DN;
  54.                 }
  55.  
  56.                 NConf_DEBUG::set($admin_group_dn, 'DEBUG', 'admin group dn');
  57.  
  58.  
  59.                 # Set up the filter for the ldap_search.
  60.                # We're looking for users that match the user-supplied username and
  61.                # that are members of the admin group specified in AD_ADMIN_GROUP
  62.                #
  63.                $filter  = "(&(objectCategory=person)(objectClass=user)";
  64.                 $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$admin_group_dn."))";
  65.                 NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');
  66.  
  67.  
  68.                 # Perform the search.
  69.                #
  70.                $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);
  71.  
  72.  
  73.                 # $userattrs_result will contain an array of search results.
  74.                # There should only be one result.  
  75.                # If there's 0 results returned then the user is not a member of the group.
  76.                # If more than one results returned then something unexpected happened and
  77.                # we're going to treat it as an auth failure.
  78.                #
  79.                $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
  80.                 NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of admin group');
  81.  
  82.                 if ($userattrs_result["count"] == 1) {
  83.                     # user has been identified as a member of the admin group
  84.                    $_SESSION['group'] = GROUP_ADMIN;
  85.                     NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted');
  86.  
  87.                 }
  88.  
  89.             }
  90.  
  91.  
  92.             # See if the user is a member of the non-admin group.
  93.            # This is skipped if the user is a member of the admin group.
  94.            # The same actions are taken in this section as above, so
  95.            # comments are removed.
  96.            #
  97.            if ((AD_USER_GROUP != "") and ($_SESSION['group'] != GROUP_ADMIN)) {
  98.  
  99.                 $user_group_dn = AD_USER_GROUP;
  100.  
  101.                 if (AD_GROUP_DN != "") {
  102.                     $user_group_dn .= ','.AD_GROUP_DN;
  103.                 }
  104.  
  105.                 NConf_DEBUG::set($user_group_dn, 'DEBUG', 'non-admin group dn');
  106.  
  107.  
  108.                 $filter  = "(&(objectCategory=person)(objectClass=user)";
  109.                 $filter .= "(sAMAccountName=".$user_loginname.")(memberOf=".$user_group_dn."))";
  110.                 NConf_DEBUG::set($filter, 'DEBUG', 'ldap search filter');
  111.  
  112.  
  113.                 $userattrs = ldap_search($ldapconnection, AD_BASE_DN, $filter, $attributes);
  114.  
  115.                 $userattrs_result = ldap_get_entries($ldapconnection, $userattrs);
  116.                 NConf_DEBUG::set($userattrs_result, 'DEBUG', 'check user is member of non-admin group');
  117.  
  118.                 if ($userattrs_result["count"] == 1) {
  119.                     $_SESSION['group'] = GROUP_USER;
  120.                     NConf_DEBUG::set('', 'INFO', $_SESSION["group"].' access granted as non-admin');
  121.                 }
  122.  
  123.             }
  124.  
  125.  
  126.             # if the user is not a member of either the admin or non-admin group then
  127.            # we don't have to worry about trying to get the welcome message from AD
  128.            #
  129.            if (($_SESSION['group'] == GROUP_USER) or ($_SESSION['group'] == GROUP_ADMIN)) {
  130.  
  131.                 # Set the welcome name
  132.                #
  133.                if ( (AUTH_FEEDBACK_AS_WELCOME_NAME == 1) AND !empty($userattrs_result[0][AD_USERNAME_ATTRIBUTE][0]) ) {
  134.                     $_SESSION["userinfos"]["username"]  = $userattrs_result[0][AD_USERNAME_ATTRIBUTE][0];
  135.                     NConf_DEBUG::set('Got welcome name from AD', 'INFO', 'set welcome name');
  136.  
  137.                 } else {
  138.  
  139.                     $_SESSION["userinfos"]['username']  = $user_loginname;
  140.                     NConf_DEBUG::set('Got welcome name from user_loginname', 'INFO', 'set welcome name');
  141.  
  142.                 }
  143.  
  144.             } else {
  145.  
  146.                 # Also, if the user is not a member of either group then we will note
  147.                # the condition in debug info
  148.                NConf_DEBUG::set(TXT_LOGIN_NOT_AUTHORIZED, 'ERROR');
  149.  
  150.             }
  151.  
  152.  
  153.         } else {
  154.  
  155.             # ldap_bind failed
  156.            NConf_DEBUG::set("fail", 'DEBUG', 'ldap bind');
  157.  
  158.         }
  159.  
  160.     }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top