#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0

    how to read usergroup(s) with php


    What I would like to do is to make a login script and then redirect the user to a specific page (based on the usergroup(s) he belongs to). The logging in is no problem, but I cannot find anything about reading/finding the usergroup the person belongs to.

    Could be that I am looking in the wrong direction, because I cannot find info on this on the web.

    Could anyone point me to the right direction or tell me how to find the usergroup? If so I can then make a redirect to the right page.
  2. #2
  3. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    What kind of info do you need?

    I was working with PHP LDAP ADMIN and I got the idea to build a sort of portal. You login and based on your credentials you would be redirected to a certain page (or give the user links to pages we want him/his usergroup to see).

    Anyway I am now studying the whole PHP LDAP ADMIN scripts, because it is in there somewhere. Took me some time to get it working, but I now took out the logging in part and made a new script with it.

    I think I have also found the page that does the search for (or displays) the usergroup (edit.php?) so I am trying to get parts of that working in my scripts as well.

    I myself have tried searching for memberOf and get_object_attr, but I could not get it to work. I don't know if I am looking for the right items and I cannot really find a description of how to do it on the web (for asp I have, but not for php). I'll post some parts of my script later on, because I've got an appointment in a few minutes.
  6. #4
  7. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    12
    More info would at least refer to the vendor who is providing your ldap services. If you are using static groups in AD you can do a memberOf query for the user when they login to retrieve the group membership.

    Since you have tried that - be sure that you bind with appropriate credentials. If you are not using AD - which may be your problem - let us know the LDAP vendor ...
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    Hi, thanks for helping. I do not really know what a vendor is, but I guess you mean something like OpenLDAP (?).

    We do have an Active Directory (Win2K server), domain: dc=samba,dc=local. I made a few simple php scripts and I can make a connection and do a bind (so ldap is installed?). I did not install any LDAP on the server, could it be that this was installed automatically during the installation of AD?

    Anyway, with these simple scripts the logging in and binding goes well, my script says it has a bind, but then the search goes wrong (it won't give any results). Could it be that dc=samba,dc=local is alright for logging in and binding, but is wrong for searching?

    When I use phpldapadmin and open the search page I can find all information of our AD (including a member of list for the users). So I am now trying to get more info out of the scripts that phpldapadmin uses, I do not know exactly what to look for.

    Is there anymore info somewhere on the web about this? I haven;t found a tutorial or script that does what I want to do.

    I'll post more info tomorrow when I am at work.
  10. #6
  11. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Can you post the PHP code that you are logging in with? It could be a simple misspelling. Because phpLDAPAdmin uses PHP
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    I changed a few things this morning and I can find my users and some of their info with the script below.

    PHP Code:
    <?php

    // maak verbinding - make connection

    $ds ldap_connect("ldap://Amr-czcvoqtf9qi:389");
    echo 
    "connect result is ".$ds."<p>";

    //als verbinding gelukt is - when connection is established

    if($ds) {

      
    //bind met server - bind with server

    //  $r=ldap_bind($ds,"USER","PASSWORD");
    //  echo "Bind result is ".$r."<p>";

      //bind met server vanuit formulier - bind from loginform on other page

      
    $user =($_POST['user']);
      
    $pass =( $_POST['pwd']);
      
    $r=ldap_bind($ds,"$user","$pass");
      echo 
    "Bind result is ".$r."<p>";  

      
    //zoek in users - find user entries

      
    $sr=ldap_search($ds"CN=Users,DC=samba,dc=local""(sn=*)");
      echo 
    "Search result is ".$sr."<p>";

      
    //geef aantal resultaten weer - return results

      
    echo "Number of entries returned is".ldap_count_entries($ds,$sr)."<p>";
      echo 
    "Getting entries ...<p>"

      
    //informatie weergeven - display info found
                                
      
    $info ldap_get_entries($ds$sr);                        
      echo 
    "Data for ".$info["count"]." items returned:<p>"

      
    //loop voor elke user - loop for users
        
      
    for ($i=0$i<$info["count"]; $i++) {
        echo 
    "dn is: "$info[$i]["dn"] ."<br>";
        echo 
    "first cn entry is: "$info[$i]["cn"][0] ."<br>";
        echo 
    "mail: "$info[$i]["mail"][0]."<p>";
      }

    //stop verbinding - close connection

    echo "Closing connection";
    ldap_close($ds);
    }

    ?>
    I can now display user dn, cn and his mail. When I open the user properties in Softerra LDAP Browser, I can see many more attributes to the user (which is quite logical). But if I add one of them to my script ( echo "given name: ". $info[$i]["givenName"][0] ."<br>"; ) I get an error saying "Undefined index: givenName".

    Why does this work for mail, cn and dn (sn works as well), but not for givenName and memberOf? Or am I doing something wrong in my script?

    EDIT:
    I just added ldap_get_attributes to my script, this shows me there are 48 attributes when I log in, including memberOf and givenName.
    Last edited by Viper_SB; July 19th, 2004 at 10:52 AM. Reason: changed i tag to php tag
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    I changed several this this afternoon and it works!
    The memberOf attribute has to be written with lowercase letters, which I also tried this morning. BUT, this morning I accidentally logged in with a username that was only member of one group. I guess it failed because PHP does not show the primary group.

    This is my script the way it is now (could be helpful for somebody else and others can still come up with improvements):

    PHP Code:
    <?php

    echo "<font face=arial size=2>";

    // make connection

    $ds ldap_connect("ldap://Amr-czcvoqtf9qi:389");
    echo 
    "<B>Verbinden met ldap server</b><br>";

    //when connection is established

    if($ds) {

      
    //auto login and bind

    //  $r=ldap_bind($ds,"USER","PASSWORD");
    //  echo "Bind result is ".$r."<br>";

      //bind from loginform on other page

      
    $user2 =($_POST['user']);
      
    $user3 ="@samba.local";
      
    $user =$user2$user3;

      
    $pass =( $_POST['pwd']);
      
    $r=ldap_bind($ds,"$user","$pass");
      echo 
    "Resultaat van verbinding: ".$r."<br>";
      echo 
    "<BR>Ingelogd met:<B>";
      echo 
    $user;
      echo 
    "</b><p>";

      
    //find user entries
      
      
    $sr=ldap_search($ds,"CN=Users,DC=samba,DC=local""sAMaccountname=".$user2);
      echo 
    "Zoekresultaat (id 2 is okee): ".$sr."<br>";

      
    //return results

      
    echo "Aantal gevonden users: ".ldap_count_entries($ds,$sr)."<p>";
      echo 
    "Ophalen van users: <p>"

      
    //display info found
                                
      
    $info ldap_get_entries($ds$sr);                        
      echo 
    "Aantal resultaten: ".$info["count"]; 
      echo 
    "<hr noshade width=400 height=1 align=left>";

      
    //loop for users
        
      
    for ($i=0$i<$info["count"]; $i++) {
        echo 
    "<b> "$info[$i]["dn"] ."<br></b>";
        echo 
    "first cn entry is: "$info[$i]["cn"][0] ."<br>";
        echo 
    "sn: "$info[$i]["sn"][0] ."<br>";
        echo 
    "displayname: "$info[$i]["displayname"][0] ."<br>";
        echo 
    "member of: "$info[$i]["memberof"][0] ."<br>";
        echo 
    "given name: "$info[$i]["givenname"][0] ."<br>";
        echo 
    "exchange: "$info[$i]["mail"][0]."<p>";
        echo 
    "<hr noshade width=400 height=1 align=left>";
      }

    //show all possible attributes for logged in user

    $entry ldap_first_entry($ds$sr);
    $attrs ldap_get_attributes($ds$entry);
    echo 
    $attrs["count"] . " attributes held for this entry:<p>";

    for (
    $i=0$i<$attrs["count"]; $i++) {
       echo 
    $attrs[$i] . "<br />";
    }

    //close connection

    echo "Verbinding verbroken";
    ldap_close($ds);
    }

    ?>
    I took out the Dutch commentary from the script, don't think you'll understand anyway. I now login via a form and the script only searches for attributes for the user that logged in.

    I'll make a memberof loop to display all user groups tomorrow morning and will then also try to make the redirection part that I was aiming for anyway.

    If you have any suggestions or improvements, you are free to post them here. I will post more parts of my scripts tomorrow or later this week. Thanks so far for your help!
    Last edited by Viper_SB; July 19th, 2004 at 10:53 AM. Reason: changed i tag to php tag
  16. #9
  17. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    yep they all have to be lower case because it's converted to an array
    Originally Posted by PHP Manual
    The attribute index is converted to lowercase. (Attributes are case-insensitive for directory servers, but not when used as array indices.)
    ldap_get_entries
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    Stupid coincidence that I logged in with a user who was only in one group, we added him to a second group and it now also works for him, which is logical.

    I am now working on looping through the memberof attributes and will then try to make an if statement to redirect the user.
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2004
    Location
    near MAastricht
    Posts
    7
    Rep Power
    0
    Hi, the script is working fine so far, except for a small error (probably because of not displaying the primary group, so the script misses one result???).

    PHP Code:
    <html><head><title>Login Demo</title>
    <meta http-equiv="Pragma" content="no-cache">
    <meta name="robots" content="noindex,nofollow">
    </head>

    <body bgcolor="#FFFFFF">

    <?php

     Header
    ("Cache-control: private, no-cache");  
     
    Header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); # Past date
     
    Header("Pragma: no-cache");

      echo 
    "<font face=arial size=2><center>";

    // ldap connection
      
    $ds ldap_connect("OUR SERVER:389");

    //if connected try to bind user to ldap server
      
    if($ds) {

    //get user from form and complete full samaccountname
      
    $user2 =($_POST['user']);
      
    $user3 ="@samba.local";
      
    $user =$user2$user3;

      
    $pass =( $_POST['pwd']);
      
    $r=ldap_bind($ds,"$user","$pass");

    //user does not exist, redirect him

    if (!$r) {
                      echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                      echo 
    "<!--\n";
                      echo 
    "top.main.location.href = 'http://www.walram3.nl';\n";
                      echo 
    "//-->\n";
                      echo 
    "</script>\n";
    }

    //find record of logged in user
      
      
    $sr=ldap_search($ds,"CN=Users,DC=samba,DC=local""sAMaccountname=".$user2);        
      echo 
    "<hr noshade width=400 height=1 align=center>";
      echo 
    "<BR><B>Loading page!</b><BR>";
      
    //   get memberof info for this user

        
    $info ldap_get_entries($ds$sr);

        
    $ii=0;
        for (
    $i=0$ii<$info[$i]["count"]; $ii++){

              
    $data $info[$i][$ii];

               if (
    $data == "memberof") {

              
    $total_memberof = (count($info[$i][$data]));
              
    $total 0;
              
    $total count($info[$i][$data]);

                
    $jj=0;
                for (
    $jj=0$jj<$total$jj++) {


    //if member of mail
                    
    if ($info[$i][$data][$jj] == "CN=mail,CN=Users,DC=samba,DC=local") {

                                            echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                                            echo 
    "<!--\n";
                                            echo 
    "top.main.location.href = 'http://www.maillink.com';\n";
                                            echo 
    "//-->\n";
                                            echo 
    "</script>\n";


    //if member of staff
                    
    } elseif (($info[$i][$data][$jj] == "CN=staff,CN=Users,DC=samba,DC=local")) {

                                            echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                                            echo 
    "<!--\n";
                                            echo 
    "top.main.location.href = 'http://stafflink';\n";
                                            echo 
    "//-->\n";
                                            echo 
    "</script>\n";


    //if member of both staff and mail
                    
    } elseif (($info[$i][$data][$jj] == "CN=both,CN=Users,DC=samba,DC=local")) {

                                            echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                                            echo 
    "<!--\n";
                                            echo 
    "top.main.location.href = 'both.htm';\n";
                                            echo 
    "//-->\n";
                                            echo 
    "</script>\n";


    //if member of noright group
                    
    } elseif (($info[$i][$data][$jj] == "CN=noright,CN=Users,DC=samba,DC=local")) {

                                            echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                                            echo 
    "<!--\n";
                                            echo 
    "top.main.location.href = 'http://noright';\n";
                                            echo 
    "//-->\n";
                                            echo 
    "</script>\n";


    //if he is not member of mentioned groups above
                    
    } else {

                                            echo 
    "<script language=\"JavaScript\" type=\"text/javascript\">\n";
                                            echo 
    "<!--\n";
                                            echo 
    "top.main.location.href = 'http://www.walram3.nl';\n";
                                            echo 
    "//-->\n";
                                            echo 
    "</script>\n";

                    } 


                }
            }

        }



    }


    //close connection

    //echo "<P>Connection closed";
    ldap_close($ds);

    ?>

    </body></html>

    I turned of error logging. The page both.htm displays two links where this user is allowed to go. I tried the following code:

    PHP Code:
    } elseif ((($info[$i][$data][$jj] == "CN=staff,CN=Users,DC=samba,DC=local")) && (($info[$i][$data][$jj] == "CN=mail,CN=Users,DC=samba,DC=local"))){ 
    But instead of opening both.htm my user is redirected to the maillink, which is pretty strange. Someone have any idea how to solve this?

IMN logo majestic logo threadwatch logo seochat tools logo