The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Databases
> LDAP Programming
|
how to read usergroup(s) with php
Discuss how to read usergroup(s) with php in the LDAP Programming forum on Dev Shed.
how to read usergroup(s) with php LDAP Programming forum discussing Lightweight Directory Access Protocol information and techniques. LDAP is used to allow applications to access directory information from a server.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
July 15th, 2004, 04:30 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
how to read usergroup(s) with php
What I would like to do is to make a login script and then redirect the user to a specific page (based on the usergroup(s) he belongs to). The logging in is no problem, but I cannot find anything about reading/finding the usergroup the person belongs to.
Could be that I am looking in the wrong direction, because I cannot find info on this on the web.
Could anyone point me to the right direction or tell me how to find the usergroup? If so I can then make a redirect to the right page.
|
July 15th, 2004, 11:21 AM
|
 |
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
|
More info we need more info
|
July 16th, 2004, 02:46 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
What kind of info do you need?
I was working with PHP LDAP ADMIN and I got the idea to build a sort of portal. You login and based on your credentials you would be redirected to a certain page (or give the user links to pages we want him/his usergroup to see).
Anyway I am now studying the whole PHP LDAP ADMIN scripts, because it is in there somewhere. Took me some time to get it working, but I now took out the logging in part and made a new script with it.
I think I have also found the page that does the search for (or displays) the usergroup (edit.php?) so I am trying to get parts of that working in my scripts as well.
I myself have tried searching for memberOf and get_object_attr, but I could not get it to work. I don't know if I am looking for the right items and I cannot really find a description of how to do it on the web (for asp I have, but not for php). I'll post some parts of my script later on, because I've got an appointment in a few minutes.
|
July 16th, 2004, 07:43 AM
|
 |
Chris Larivee
|
|
Join Date: Sep 2003
Location: Littleton, CO
Posts: 72
Time spent in forums: 1 h 49 m 14 sec
Reputation Power: 10
|
|
|
More info would at least refer to the vendor who is providing your ldap services. If you are using static groups in AD you can do a memberOf query for the user when they login to retrieve the group membership.
Since you have tried that - be sure that you bind with appropriate credentials. If you are not using AD - which may be your problem - let us know the LDAP vendor ...
|
July 18th, 2004, 11:03 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Hi, thanks for helping. I do not really know what a vendor is, but I guess you mean something like OpenLDAP (?).
We do have an Active Directory (Win2K server), domain: dc=samba,dc=local. I made a few simple php scripts and I can make a connection and do a bind (so ldap is installed?). I did not install any LDAP on the server, could it be that this was installed automatically during the installation of AD?
Anyway, with these simple scripts the logging in and binding goes well, my script says it has a bind, but then the search goes wrong (it won't give any results). Could it be that dc=samba,dc=local is alright for logging in and binding, but is wrong for searching?
When I use phpldapadmin and open the search page I can find all information of our AD (including a member of list for the users). So I am now trying to get more info out of the scripts that phpldapadmin uses, I do not know exactly what to look for.
Is there anymore info somewhere on the web about this? I haven;t found a tutorial or script that does what I want to do.
I'll post more info tomorrow when I am at work.
|
July 18th, 2004, 11:14 PM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
Can you post the PHP code that you are logging in with? It could be a simple misspelling. Because phpLDAPAdmin uses PHP 
|
July 19th, 2004, 03:45 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
I changed a few things this morning and I can find my users and some of their info with the script below.
PHP Code:
<?php
// maak verbinding - make connection
$ds = ldap_connect("ldap://Amr-czcvoqtf9qi:389");
echo "connect result is ".$ds."<p>";
//als verbinding gelukt is - when connection is established
if($ds) {
//bind met server - bind with server
// $r=ldap_bind($ds,"USER","PASSWORD");
// echo "Bind result is ".$r."<p>";
//bind met server vanuit formulier - bind from loginform on other page
$user =($_POST['user']);
$pass =( $_POST['pwd']);
$r=ldap_bind($ds,"$user","$pass");
echo "Bind result is ".$r."<p>";
//zoek in users - find user entries
$sr=ldap_search($ds, "CN=Users,DC=samba,dc=local", "(sn=*)");
echo "Search result is ".$sr."<p>";
//geef aantal resultaten weer - return results
echo "Number of entries returned is".ldap_count_entries($ds,$sr)."<p>";
echo "Getting entries ...<p>";
//informatie weergeven - display info found
$info = ldap_get_entries($ds, $sr);
echo "Data for ".$info["count"]." items returned:<p>";
//loop voor elke user - loop for users
for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: ". $info[$i]["dn"] ."<br>";
echo "first cn entry is: ". $info[$i]["cn"][0] ."<br>";
echo "mail: ". $info[$i]["mail"][0]."<p>";
}
//stop verbinding - close connection
echo "Closing connection";
ldap_close($ds);
}
?>
I can now display user dn, cn and his mail. When I open the user properties in Softerra LDAP Browser, I can see many more attributes to the user (which is quite logical). But if I add one of them to my script ( echo "given name: ". $info[$i]["givenName"][0] ."<br>"; ) I get an error saying "Undefined index: givenName".
Why does this work for mail, cn and dn (sn works as well), but not for givenName and memberOf? Or am I doing something wrong in my script?
EDIT:
I just added ldap_get_attributes to my script, this shows me there are 48 attributes when I log in, including memberOf and givenName.
Last edited by Viper_SB : July 19th, 2004 at 09:52 AM.
Reason: changed i tag to php tag
|
July 19th, 2004, 09:42 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
I changed several this this afternoon and it works!
The memberOf attribute has to be written with lowercase letters, which I also tried this morning. BUT, this morning I accidentally logged in with a username that was only member of one group. I guess it failed because PHP does not show the primary group.
This is my script the way it is now (could be helpful for somebody else and others can still come up with improvements):
PHP Code:
<?php
echo "<font face=arial size=2>";
// make connection
$ds = ldap_connect("ldap://Amr-czcvoqtf9qi:389");
echo "<B>Verbinden met ldap server</b><br>";
//when connection is established
if($ds) {
//auto login and bind
// $r=ldap_bind($ds,"USER","PASSWORD");
// echo "Bind result is ".$r."<br>";
//bind from loginform on other page
$user2 =($_POST['user']);
$user3 ="@samba.local";
$user =$user2. $user3;
$pass =( $_POST['pwd']);
$r=ldap_bind($ds,"$user","$pass");
echo "Resultaat van verbinding: ".$r."<br>";
echo "<BR>Ingelogd met:<B>";
echo $user;
echo "</b><p>";
//find user entries
$sr=ldap_search($ds,"CN=Users,DC=samba,DC=local", "sAMaccountname=".$user2);
echo "Zoekresultaat (id 2 is okee): ".$sr."<br>";
//return results
echo "Aantal gevonden users: ".ldap_count_entries($ds,$sr)."<p>";
echo "Ophalen van users: <p>";
//display info found
$info = ldap_get_entries($ds, $sr);
echo "Aantal resultaten: ".$info["count"];
echo "<hr noshade width=400 height=1 align=left>";
//loop for users
for ($i=0; $i<$info["count"]; $i++) {
echo "<b> ". $info[$i]["dn"] ."<br></b>";
echo "first cn entry is: ". $info[$i]["cn"][0] ."<br>";
echo "sn: ". $info[$i]["sn"][0] ."<br>";
echo "displayname: ". $info[$i]["displayname"][0] ."<br>";
echo "member of: ". $info[$i]["memberof"][0] ."<br>";
echo "given name: ". $info[$i]["givenname"][0] ."<br>";
echo "exchange: ". $info[$i]["mail"][0]."<p>";
echo "<hr noshade width=400 height=1 align=left>";
}
//show all possible attributes for logged in user
$entry = ldap_first_entry($ds, $sr);
$attrs = ldap_get_attributes($ds, $entry);
echo $attrs["count"] . " attributes held for this entry:<p>";
for ($i=0; $i<$attrs["count"]; $i++) {
echo $attrs[$i] . "<br />";
}
//close connection
echo "Verbinding verbroken";
ldap_close($ds);
}
?>
I took out the Dutch commentary from the script, don't think you'll understand anyway. I now login via a form and the script only searches for attributes for the user that logged in.
I'll make a memberof loop to display all user groups tomorrow morning and will then also try to make the redirection part that I was aiming for anyway.
If you have any suggestions or improvements, you are free to post them here. I will post more parts of my scripts tomorrow or later this week. Thanks so far for your help!
Last edited by Viper_SB : July 19th, 2004 at 09:53 AM.
Reason: changed i tag to php tag
|
July 19th, 2004, 09:57 AM
|
|
Psycho Canadian
|
|
Join Date: Jan 2001
Location: Canada
|
|
yep they all have to be lower case because it's converted to an array
Quote: | Originally Posted by PHP Manual
The attribute index is converted to lowercase. (Attributes are case-insensitive for directory servers, but not when used as array indices.)
|
ldap_get_entries
|
July 20th, 2004, 03:53 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Stupid coincidence that I logged in with a user who was only in one group, we added him to a second group and it now also works for him, which is logical.
I am now working on looping through the memberof attributes and will then try to make an if statement to redirect the user.
|
July 23rd, 2004, 04:25 AM
|
|
Registered User
|
|
Join Date: Jul 2004
Location: near MAastricht
Posts: 7
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
Hi, the script is working fine so far, except for a small error (probably because of not displaying the primary group, so the script misses one result???).
PHP Code:
<html><head><title>Login Demo</title>
<meta http-equiv="Pragma" content="no-cache">
<meta name="robots" content="noindex,nofollow">
</head>
<body bgcolor="#FFFFFF">
<?php
Header("Cache-control: private, no-cache");
Header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); # Past date
Header("Pragma: no-cache");
echo "<font face=arial size=2><center>";
// ldap connection
$ds = ldap_connect("OUR SERVER:389");
//if connected try to bind user to ldap server
if($ds) {
//get user from form and complete full samaccountname
$user2 =($_POST['user']);
$user3 ="@samba.local";
$user =$user2. $user3;
$pass =( $_POST['pwd']);
$r=ldap_bind($ds,"$user","$pass");
//user does not exist, redirect him
if (!$r) {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'http://www.walram3.nl';\n";
echo "//-->\n";
echo "</script>\n";
}
//find record of logged in user
$sr=ldap_search($ds,"CN=Users,DC=samba,DC=local", "sAMaccountname=".$user2);
echo "<hr noshade width=400 height=1 align=center>";
echo "<BR><B>Loading page!</b><BR>";
// get memberof info for this user
$info = ldap_get_entries($ds, $sr);
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
if ($data == "memberof") {
$total_memberof = (count($info[$i][$data]));
$total = 0;
$total = count($info[$i][$data]);
$jj=0;
for ($jj=0; $jj<$total; $jj++) {
//if member of mail
if ($info[$i][$data][$jj] == "CN=mail,CN=Users,DC=samba,DC=local") {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'http://www.maillink.com';\n";
echo "//-->\n";
echo "</script>\n";
//if member of staff
} elseif (($info[$i][$data][$jj] == "CN=staff,CN=Users,DC=samba,DC=local")) {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'http://stafflink';\n";
echo "//-->\n";
echo "</script>\n";
//if member of both staff and mail
} elseif (($info[$i][$data][$jj] == "CN=both,CN=Users,DC=samba,DC=local")) {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'both.htm';\n";
echo "//-->\n";
echo "</script>\n";
//if member of noright group
} elseif (($info[$i][$data][$jj] == "CN=noright,CN=Users,DC=samba,DC=local")) {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'http://noright';\n";
echo "//-->\n";
echo "</script>\n";
//if he is not member of mentioned groups above
} else {
echo "<script language=\"JavaScript\" type=\"text/javascript\">\n";
echo "<!--\n";
echo "top.main.location.href = 'http://www.walram3.nl';\n";
echo "//-->\n";
echo "</script>\n";
}
}
}
}
}
//close connection
//echo "<P>Connection closed";
ldap_close($ds);
?>
</body></html>
I turned of error logging. The page both.htm displays two links where this user is allowed to go. I tried the following code:
PHP Code:
} elseif ((($info[$i][$data][$jj] == "CN=staff,CN=Users,DC=samba,DC=local")) && (($info[$i][$data][$jj] == "CN=mail,CN=Users,DC=samba,DC=local"))){
But instead of opening both.htm my user is redirected to the maillink, which is pretty strange. Someone have any idea how to solve this?
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
