Jump to content

Recommended Posts

I don't quite know how to phrase this question...

 

I am working with authentication against AD using mod_auth_SSPI and it does meet my needs as it returns upon authentication $_SERVER['REMOTE_USER'].

 

I ran another script to output the "NAMES" (usernames) and the "FULL_NAMES" (full names in Active Directory) and it indicated the "JoeSmith" was index 105, so I go with that for this question as a reference point.  (here is a snippet of the code)

 

$server = ntuser_getdomaincontroller();
$users = ntuser_getuserlist($server);
echo $users["105"]["FULL_NAME"];

 

e.g.  Here is a bit of the code output after the AD Query using PHP

 

    users["105"] = Array

        * users["105"]["NAME"] = JoeSmith

        * users["105"]["FULL_NAME"] = Joe Smith

        * users["105"]["COMMENT"] = Systems Administrator

 

So how can I determine the "JoeSmith" is in fact index #105?  How do I index the multi-dimension array $users to figure out that I want 105 as in $users[105]["NAME"] = JoeSmith?

 

Assuming I don't know what the Index is, how do I figure that out is the question.

 

I appreciate your help.

 

Link to comment
https://forums.phpfreaks.com/topic/85284-indexing-multi-dimension-arrays/
Share on other sites

Thanks for that, you are correct I can traverse the array until I find a match.

 

After more time I was working with mod_auth_SSPI and I found that it is not as flexible or reliable as I had thought.  For example,...

 

<Location />

AuthType SSPI

SSPIAuth On

SSPIAuthoritative On

SSPIOfferBasic On

SSPIOmitDomain On

SSPIDomain mydomain

AuthName "A Protected Place"

require valid-user

</Location>

 

...worked but...

 

<Location /http/>

AuthType SSPI

SSPIAuth On

SSPIAuthoritative On

SSPIOfferBasic On

SSPIOmitDomain On

SSPIDomain mydomain

AuthName "A Protected Place"

require valid-user

</Location>

 

...would not work, it would not require authentication for that directory

 

I found a script that someone else wrote and adapted it for testing and found that for me this works very well for basic authentication against Active Directory using the PHP LDAP extension.

 

<?php

error_reporting(1);
session_start();

function authenticate() {
header('WWW-Authenticate: Basic realm="Active Directory Login"');
header('HTTP/1.0 401 Unauthorized');
echo 'Sorry, you must login using the correct user and pass.';
echo '<br><br><a href="' . $PHP_SELF . '?logout=1">Click here</a> to try again.';
exit;
}

if(!isset($_SERVER['PHP_AUTH_USER']) || ($_GET['logout'] == 1 && isset($_SESSION['user']) && isset($_SESSION['domain']))){
session_unset();
authenticate();
} else {
$_SESSION["domain"] = $domain = 'MYDOMAIN';
$_SESSION["user"] = strtoupper($_SERVER["PHP_AUTH_USER"]);
$_SESSION["password"] = $_SERVER["PHP_AUTH_PW"]; 
$LDAPServerAddress1="192.168.1.xxx";
$LDAPServerAddress2="192.168.1.xxx";
$LDAPServerPort="389";
$LDAPServerTimeOut ="60";
$LDAPContainer="dc=mydomain,dc=com";
$BIND_username = "mydomain\\authaccountuser";
$BIND_password = "authaccountpass";
$filter = "sAMAccountName=".$_SESSION["user"];
$login_error_code = 0;

if(($ds=ldap_connect($LDAPServerAddress1)) || ($ds=ldap_connect($LDAPServerAddress2))) {
	ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
	ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

	if($r=ldap_bind($ds,$BIND_username,$BIND_password)) {
		if($sr=ldap_search($ds, $LDAPContainer, $filter, array('distinguishedName'))) {
			if($info = ldap_get_entries($ds, $sr)) {
				$BIND_username = $info[0]['distinguishedname'][0];
				$BIND_password = $_SERVER["PHP_AUTH_PW"]; 
				if ($r2=ldap_bind($ds,$BIND_username,$BIND_password)) {
					if($sr2=ldap_search($ds, $LDAPContainer, $filter, array("givenName","sn","mail","displayName"))) {
						if($info2 = ldap_get_entries($ds, $sr2)) {
							$_SESSION["name"] = $info2[0]["givenname"][0]." ".$info2[0]["sn"][0];
							$_SESSION["email"] = $info2[0]["mail"][0];
							$_SESSION["displayname"] = $info2[0]["displayname"][0];
						} else {
							$login_error = "Could not read entries"; $login_error_code=1; 
						}
					} else {
						$login_error = "Could not search"; $login_error_code=2; 
					} 
				} else {
					$login_error = "User password incorrect"; $login_error_code=3; 
				}
			} else {
				$login_error = "User name not found"; $login_error_code=4; 
			} 
		} else {
			$login_error = "Could not search"; $login_error_code=5; 
		} 
	} else {
		$login_error = "Could not bind"; $login_error_code=6; 
	}
} else {
	$login_error = "Could not connect"; $login_error_code=7; 
}

if($login_error_code > 0){
	authenticate();
} else {
	echo 'Welcome ' . $_SESSION["displayname"];
	echo '<br><br><a href="' . $PHP_SELF . '?logout=1">Click here</a> to logout and try again.';
}
}


?>

 

I cannot for the life of me find the original site, but above is the code I finally completed and it works very well on my domain.  Disabled accounts will not authenticate, a very nice aspect.  You must of course have correct use / pass.  I forced the domain and I have two domain controllers so I did not need to add more.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.