BrianAbbott Posted January 10, 2008 Share Posted January 10, 2008 I don't quite know how to phrase this question... I am working with authentication against AD using mod_auth_SSPI and it does meet my needs as it returns upon authentication $_SERVER['REMOTE_USER']. I ran another script to output the "NAMES" (usernames) and the "FULL_NAMES" (full names in Active Directory) and it indicated the "JoeSmith" was index 105, so I go with that for this question as a reference point. (here is a snippet of the code) $server = ntuser_getdomaincontroller(); $users = ntuser_getuserlist($server); echo $users["105"]["FULL_NAME"]; e.g. Here is a bit of the code output after the AD Query using PHP users["105"] = Array * users["105"]["NAME"] = JoeSmith * users["105"]["FULL_NAME"] = Joe Smith * users["105"]["COMMENT"] = Systems Administrator So how can I determine the "JoeSmith" is in fact index #105? How do I index the multi-dimension array $users to figure out that I want 105 as in $users[105]["NAME"] = JoeSmith? Assuming I don't know what the Index is, how do I figure that out is the question. I appreciate your help. Quote Link to comment Share on other sites More sharing options...
teng84 Posted January 10, 2008 Share Posted January 10, 2008 foreach($user as $key =>$val){ echo $key; foreach($user[$key] as $key2 => $val2){ echo $key2.$key2; } }// you can get all the value by modifying that a little Quote Link to comment Share on other sites More sharing options...
BrianAbbott Posted January 10, 2008 Author Share Posted January 10, 2008 Thanks for that, you are correct I can traverse the array until I find a match. After more time I was working with mod_auth_SSPI and I found that it is not as flexible or reliable as I had thought. For example,... <Location /> AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIOmitDomain On SSPIDomain mydomain AuthName "A Protected Place" require valid-user </Location> ...worked but... <Location /http/> AuthType SSPI SSPIAuth On SSPIAuthoritative On SSPIOfferBasic On SSPIOmitDomain On SSPIDomain mydomain AuthName "A Protected Place" require valid-user </Location> ...would not work, it would not require authentication for that directory I found a script that someone else wrote and adapted it for testing and found that for me this works very well for basic authentication against Active Directory using the PHP LDAP extension. <?php error_reporting(1); session_start(); function authenticate() { header('WWW-Authenticate: Basic realm="Active Directory Login"'); header('HTTP/1.0 401 Unauthorized'); echo 'Sorry, you must login using the correct user and pass.'; echo '<br><br><a href="' . $PHP_SELF . '?logout=1">Click here</a> to try again.'; exit; } if(!isset($_SERVER['PHP_AUTH_USER']) || ($_GET['logout'] == 1 && isset($_SESSION['user']) && isset($_SESSION['domain']))){ session_unset(); authenticate(); } else { $_SESSION["domain"] = $domain = 'MYDOMAIN'; $_SESSION["user"] = strtoupper($_SERVER["PHP_AUTH_USER"]); $_SESSION["password"] = $_SERVER["PHP_AUTH_PW"]; $LDAPServerAddress1="192.168.1.xxx"; $LDAPServerAddress2="192.168.1.xxx"; $LDAPServerPort="389"; $LDAPServerTimeOut ="60"; $LDAPContainer="dc=mydomain,dc=com"; $BIND_username = "mydomain\\authaccountuser"; $BIND_password = "authaccountpass"; $filter = "sAMAccountName=".$_SESSION["user"]; $login_error_code = 0; if(($ds=ldap_connect($LDAPServerAddress1)) || ($ds=ldap_connect($LDAPServerAddress2))) { ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); if($r=ldap_bind($ds,$BIND_username,$BIND_password)) { if($sr=ldap_search($ds, $LDAPContainer, $filter, array('distinguishedName'))) { if($info = ldap_get_entries($ds, $sr)) { $BIND_username = $info[0]['distinguishedname'][0]; $BIND_password = $_SERVER["PHP_AUTH_PW"]; if ($r2=ldap_bind($ds,$BIND_username,$BIND_password)) { if($sr2=ldap_search($ds, $LDAPContainer, $filter, array("givenName","sn","mail","displayName"))) { if($info2 = ldap_get_entries($ds, $sr2)) { $_SESSION["name"] = $info2[0]["givenname"][0]." ".$info2[0]["sn"][0]; $_SESSION["email"] = $info2[0]["mail"][0]; $_SESSION["displayname"] = $info2[0]["displayname"][0]; } else { $login_error = "Could not read entries"; $login_error_code=1; } } else { $login_error = "Could not search"; $login_error_code=2; } } else { $login_error = "User password incorrect"; $login_error_code=3; } } else { $login_error = "User name not found"; $login_error_code=4; } } else { $login_error = "Could not search"; $login_error_code=5; } } else { $login_error = "Could not bind"; $login_error_code=6; } } else { $login_error = "Could not connect"; $login_error_code=7; } if($login_error_code > 0){ authenticate(); } else { echo 'Welcome ' . $_SESSION["displayname"]; echo '<br><br><a href="' . $PHP_SELF . '?logout=1">Click here</a> to logout and try again.'; } } ?> I cannot for the life of me find the original site, but above is the code I finally completed and it works very well on my domain. Disabled accounts will not authenticate, a very nice aspect. You must of course have correct use / pass. I forced the domain and I have two domain controllers so I did not need to add more. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.