Extend LDAP plugin to support AD authentication


  • Senior Developer

    This post is deleted!

  • Moderator

    This post is deleted!

  • Moderator

    The ldap query might look something like this

    ref: http://stackoverflow.com/questions/1032351/how-to-write-ldap-query-to-test-if-user-is-member-of-a-group

    (&(objectClass=user)(sAMAccountName=yourUserName)
      (memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
    

    Translated into fields

    (&(objectClass=user)({User naming attribute}={UserID})
      ({Group member attribute}={Group naming attribute}={Group name},{Base DN}))
    

    I do have to say I have not looked at the php code yet to see if this can be reverse engineered into the code. I’m just collecting examples of the process right now.

    Use php to query ldap with group membership
    ref: https://samjlevy.com/use-php-and-ldap-to-get-a-users-group-membership-including-the-primary-group/

    This is ref is a bit more onpoint than the above ref: https://samjlevy.com/php-login-script-using-ldap-verify-group-membership/

    <?php
    // Initialize session
    session_start();
     
    function authenticate($user, $password) {
    	if(empty($user) || empty($password)) return false;
     
    	// Active Directory server
    	$ldap_host = "server.college.school.edu";
     
    	// Active Directory DN
    	$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";
     
    	// Active Directory user group
    	$ldap_user_group = "WebUsers";
     
    	// Active Directory manager group
    	$ldap_manager_group = "WebManagers";
     
    	// Domain, for purposes of constructing $user
    	$ldap_usr_dom = '@college.school.edu';
     
    	// connect to active directory
    	$ldap = ldap_connect($ldap_host);
     
    	// verify user and password
    	if($bind = @ldap_bind($ldap, $user.$ldap_usr_dom, $password)) {
    		// valid
    		// check presence in groups
    		$filter = "(sAMAccountName=".$user.")";
    		$attr = array("memberof");
    		$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    		$entries = ldap_get_entries($ldap, $result);
    		ldap_unbind($ldap);
     
    		// check groups
    		foreach($entries[0]['memberof'] as $grps) {
    			// is manager, break loop
    			if(strpos($grps, $ldap_manager_group)) { $access = 2; break; }
     
    			// is user
    			if(strpos($grps, $ldap_user_group)) $access = 1;
    		}
     
    		if($access != 0) {
    			// establish session variables
    			$_SESSION['user'] = $user;
    			$_SESSION['access'] = $access;
    			return true;
    		} else {
    			// user has no rights
    			return false;
    		}
     
    	} else {
    		// invalid name or password
    		return false;
    	}
    }
    ?>
    

  • Moderator

    @george1421

    Just documenting the ldap requirements from another FOSS application pfsense here. These are the typical fields I would expect to see for any type of LDAP authentication against AD.

    0_1473854335685_ldap1.png

    0_1473854350564_ldap2.png

    0_1473854879663_ldap3.png


Log in to reply
 

416
Online

6.2k
Users

13.6k
Topics

128.0k
Posts