PHP login script using LDAP, verify group membership

Simple PHP login script that authenticates through Active Directory using LDAP.
Checks user’s membership for two groups, and assigns permissions to a session variable.

authenticate.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
function authenticate($user, $password) {
    // Active Directory server
    $ldap_host = "server.college.school.edu";
 
    // Active Directory DN
    $ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";
 
    // Active Directory user group
    $ldap_user_group = "WebUsers";
 
    // Active Directory manager group
    $ldap_manager_group = "WebManagers";
 
    // Domain, for purposes of constructing $user
    $ldap_usr_dom = "@college.school.edu";
 
    // connect to active directory
    $ldap = ldap_connect($ldap_host);
 
    // verify user and password
    if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
        // valid
        // check presence in groups
        $filter = "(sAMAccountName=" . $user . ")";
        $attr = array("memberof");
        $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
        $entries = ldap_get_entries($ldap, $result);
        ldap_unbind($ldap);
 
        // check groups
        foreach($entries[0]['memberof'] as $grps) {
            // is manager, break loop
            if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
 
            // is user
            if (strpos($grps, $ldap_user_group)) $access = 1;
        }
 
        if ($access != 0) {
            // establish session variables
            $_SESSION['user'] = $user;
            $_SESSION['access'] = $access;
            return true;
        } else {
            // user has no rights
            return false;
        }
 
    } else {
        // invalid name or password
        return false;
    }
}
?>
<?php
function authenticate($user, $password) {
	// Active Directory server
	$ldap_host = "server.college.school.edu";

	// Active Directory DN
	$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";

	// Active Directory user group
	$ldap_user_group = "WebUsers";

	// Active Directory manager group
	$ldap_manager_group = "WebManagers";

	// Domain, for purposes of constructing $user
	$ldap_usr_dom = "@college.school.edu";

	// connect to active directory
	$ldap = ldap_connect($ldap_host);

	// verify user and password
	if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
		// valid
		// check presence in groups
		$filter = "(sAMAccountName=" . $user . ")";
		$attr = array("memberof");
		$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
		$entries = ldap_get_entries($ldap, $result);
		ldap_unbind($ldap);

		// check groups
		foreach($entries[0]['memberof'] as $grps) {
			// is manager, break loop
			if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

			// is user
			if (strpos($grps, $ldap_user_group)) $access = 1;
		}

		if ($access != 0) {
			// establish session variables
			$_SESSION['user'] = $user;
			$_SESSION['access'] = $access;
			return true;
		} else {
			// user has no rights
			return false;
		}

	} else {
		// invalid name or password
		return false;
	}
}
?>

login.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
include("authenticate.php");
 
// check to see if user is logging out
if(isset($_GET['out'])) {
    // destroy session
    session_unset();
    $_SESSION = array();
    unset($_SESSION['user'],$_SESSION['access']);
    session_destroy();
}
 
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
    // run information through authenticator
    if(authenticate($_POST['userLogin'],$_POST['userPassword']))
    {
        // authentication passed
        header("Location: index.php");
        die();
    } else {
        // authentication failed
        $error = 1;
    }
}
 
// output error to user
if (isset($error)) echo "Login failed: Incorrect user name, password, or rights<br />";
 
// output logout success
if (isset($_GET['out'])) echo "Logout successful<br />";
?>
 
<form method="post" action="login.php">
    User: <input type="text" name="userLogin" /><br />
    Password: <input type="password" name="userPassword" /><br />
    <input type="submit" name="submit" value="Submit" />
</form>
<?php
include("authenticate.php");

// check to see if user is logging out
if(isset($_GET['out'])) {
	// destroy session
	session_unset();
	$_SESSION = array();
	unset($_SESSION['user'],$_SESSION['access']);
	session_destroy();
}

// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
	// run information through authenticator
	if(authenticate($_POST['userLogin'],$_POST['userPassword']))
	{
		// authentication passed
		header("Location: index.php");
		die();
	} else {
		// authentication failed
		$error = 1;
	}
}

// output error to user
if (isset($error)) echo "Login failed: Incorrect user name, password, or rights<br />";

// output logout success
if (isset($_GET['out'])) echo "Logout successful<br />";
?>

<form method="post" action="login.php">
	User: <input type="text" name="userLogin" /><br />
	Password: <input type="password" name="userPassword" /><br />
	<input type="submit" name="submit" value="Submit" />
</form>

Related Post: Use PHP and LDAP to list members of an Active Directory group