Jump to content

Restricting access to data by AD Group


OzSteve

Recommended Posts

We have a subset of data that is restricted to users of our system that are not in Australia. So the code below is designed to check whether the request is coming from our internal ranges (1 & 2) or our Australian VPN Range and, if not, restrict access to that data and send an email to 2 people highlighting the "illegal" access attempt.

What I need to do is alter this code to, once it has verified location, to also verify that the person is a member of AD Security group "ALLOWED".

If you have any idea, please feel free to share. I don't want it completely re-written and I accept that it's may not be an ideal solution (I didn't write the code), but I need a quick idea, Any help would be awesome.

function check_australian_access($hide)
{
global $user_details;
require_once '/var/www/common/emailer.php';

if ($hide && ! is_australian_server())
{
print "<b>This information is restricted to users of COMPANY, located within the Australian network.<br>
<br>
This access attempt has been logged.</b><br>
<br>
IP Address: $_SERVER[REMOTE_ADDR]<br>
Username: $user_details->username";

email_from_to('SYETEM <fromaddress@company.com>', 'toaddress1@company.com,toaddress2@company.com', "Illegal Access Attempt - $_SERVER[REMOTE_ADDR] - $user_details->username",
"An unauthorized user has attempted to access restricted information.\n\nURL: $_SERVER[REQUEST_URI]\n\n" . print_r($_SESSION, true) . "\n\n$_SERVER[HTTP_USER_AGENT]");

exit();
}
}

//-------------------------------------------------------------------------------------------------

function hide_australian_restricted_information($hide, $string)
{
return $hide && ! is_australian_server() ? '*** RESTRICTED ***' : $string;
}

//-------------------------------------------------------------------------------------------------

function skip_australian_restricted_information($hide)
{
return $hide && ! is_australian_server() ? true : false;
}

//-------------------------------------------------------------------------------------------------

function is_australian_server()
{
// Discrete allowed ranges
if(strpos($_SERVER['REMOTE_ADDR'], 'internal.range.1') !== false)
return true;

if(strpos($_SERVER['REMOTE_ADDR'], 'internal.range.2') !== false)
return true;

if(strpos($_SERVER['REMOTE_ADDR'], 'vpn.range.1') !== false)
return true;

return false;
}
?>

Link to comment
Share on other sites

Well these are a series of functions.  

Do you have a function that checks for the AD security group membership?  You should build one around the PHP LDAP functions.  I don't know if you already know this, or you are asking how to query AD, you need to use the LDAP library.  Since there is a variety of different ways to set up groups in AD, you'll have to figure out what is appropriate for your system.  I haven't done this in a very long time, but it's good to use an LDAP query tool to figure out what queries return what you expect.   This Stackoverflow question is old, but it should give you an idea of how to attack the problem:  https://stackoverflow.com/questions/23270575/validate-ad-group-membership-with-php-and-ldap

Assuming you had such a function, simply adding an additional check should do the trick.  I would rewrite this function in this way for clarity and efficiency:

 

function check_australian_access($hide)
{
  global $user_details;
  require_once '/var/www/common/emailer.php';

  if (!$hide || (is_australian_server() && is_ad_member('ALLOWED'))) {
    return;
  }
  
  // Shouldn't be able to see this
  print "<b>This information is restricted to users of COMPANY, located within the Australian network.<br>
  <br>
  This access attempt has been logged.</b>
  <br><br>
  IP Address: $_SERVER[REMOTE_ADDR]<br>
  Username: $user_details->username";

  email_from_to('SYETEM <fromaddress@company.com>', 'toaddress1@company.com,toaddress2@company.com', "Illegal Access Attempt - $_SERVER[REMOTE_ADDR] - $user_details->username",
"An unauthorized user has attempted to access restricted information.\n\nURL: $_SERVER[REQUEST_URI]\n\n" . print_r($_SESSION, true) . "\n\n$_SERVER[HTTP_USER_AGENT]");

  exit();
}

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.