Simple PHP login script that authenticates through Active Directory using LDAP.
Checks user’s membership for two groups, and assigns permissions to a session variable.
authenticate.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
<?php
function authenticate($user, $password) {
// Active Directory server
$ldap_host = "server.college.school.edu";
// Active Directory DN
$ldap_dn = "OU=Departments,DC=college,DC=school,DC=edu";
// Active Directory user group
$ldap_user_group = "WebUsers";
// Active Directory manager group
$ldap_manager_group = "WebManagers";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@college.school.edu";
// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
}
?> |
login.php:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
<?php
include("authenticate.php");
// check to see if user is logging out
if(isset($_GET['out'])) {
// destroy session
session_unset();
$_SESSION = array();
unset($_SESSION['user'],$_SESSION['access']);
session_destroy();
}
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
// run information through authenticator
if(authenticate($_POST['userLogin'],$_POST['userPassword']))
{
// authentication passed
header("Location: index.php");
die();
} else {
// authentication failed
$error = 1;
}
}
// output error to user
if (isset($error)) echo "Login failed: Incorrect user name, password, or rights<br />";
// output logout success
if (isset($_GET['out'])) echo "Logout successful<br />";
?>
<form method="post" action="login.php">
User: <input type="text" name="userLogin" /><br />
Password: <input type="password" name="userPassword" /><br />
<input type="submit" name="submit" value="Submit" />
</form> |
Related Post: Use PHP and LDAP to list members of an Active Directory group
Thx alot, this is the first php script for ldap i found which WORKS! thx alot
No problem
Thanks so much for the script and it works. It saves a lot of time for me.
Thanks alot
Thank you so much code works perfectly. I want to ask how I set the file index.php, and I broke WebUsers WebManagers to each group previewed something else? The division would be carried out through session_start? please advise
I am not sure I understand what you are asking
Can you rephrase the question?
When you successfully login to index.php, how do I verify a user group?
index.php
<?php if($_SESSION['access']=="2" ){
echo' WebManagers – page for the administrator';}
<?php if($_SESSION['access']=="1" ){
echo' WebUsers – page for the users ';}
how do I set up $_SESSION in index.php
I am sorry for my English :)
$_SESSION variables will carry over to any page within the PHP installation’s scope – just make sure session_start(); is at the top of the page
You should probably create a config.php with session_start(); in it
Then include(‘config.php’); at the top of login.php (above authenticate.php) and at the top of index.php
config.php
index.php
< ?php include('config.php'); if($_SESSION['access']=="2" ) { echo 'WebManagers – page for the administrator'; } if($_SESSION['access']=="1" ) { echo 'WebUsers – page for the users '; } ?>Hi
Do you have these scripts available to download as a working “Kit” ?
Cheers
Simon
Since everyone’s AD setup is different, there’s no way to provide an ‘out-of-the-box’ working example
You should be able to select and copy the code for the two files, clicking the magnifying glass icon might make it easier
Greetings,
Its always gives me this error. Can anyone help
Warning: ldap_search() [function.ldap-search]: Search: Operations error in C:\xampp\htdocs\aaa\authenticate.php on line 27
Unable to search LDAP server
Remove the @ from line 22 before ldap_bind just to see if there’s a helpful error message being suppressed
And make sure your $ldap_dn is correct
somehow,this script does not work forme, whether you provide the correct login details or the wrong ones, it continues without an error, something is not ok. Anyone got the same issue?
Can you paste your code? Be sure to remove any sensitive information
http://paste.samjlevy.com
*removed incomplete code pasting*
okello,
Can you use http://paste.samjlevy.com or if you are pasting the code into a reply, put <code> </code> around it so it doesn’t strip out text
to add to the code above, the only change made was on, nothing else
// Active Directory server
$ldap_host = “mydomain.com”;
// Active Directory DN
$ldap_dn = “OU=user,DC=mydomain,DC=com”;
// Active Directory user group
$ldap_user_group = “Users”;
// Active Directory manager group
$ldap_manager_group = “Administrators”;
// Domain, for purposes of constructing $user
$ldap_usr_dom = “@mydomain.com”;