Last active
June 11, 2024 14:06
-
-
Save leftclickben/9bcfca866b45e2d2b5fb to your computer and use it in GitHub Desktop.
Open a connection to an LDAP server, query it for a given user, and check group membership for that user (test script)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/php | |
<?php | |
# Parse options | |
$opts = getopt('h:n:u:p:b:s:', array( 'help' )); | |
if (isset($opts['help']) && $opts['help']) { | |
echo <<<ENDHELP | |
Usage: | |
$argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH] | |
Where: | |
HOSTNAME is the LDAP hostname to connect to; omit to use default (pool.ldap.csiro.au) | |
PORTNUM is the port number to connect to; omit to use default (389) | |
USERNAME is the username passed to ldap_bind(); omit to bind anonymously | |
PASSWORD is the password passed to ldap_bind(); omit to bind without a password | |
BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au) | |
SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392) | |
ENDHELP | |
; | |
exit(0); | |
} | |
# Extract options into variables | |
$hostname = isset($opts['h']) ? $opts['h'] : 'pool.ldap.csiro.au'; | |
$port_num = isset($opts['n']) ? intval($opts['n']) : 389; | |
$username = isset($opts['u']) ? $opts['u'] : null; | |
$password = isset($opts['p']) ? $opts['p'] : null; | |
$base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au'; | |
$search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392'; | |
# Connect to LDAP | |
echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL; | |
$ldap = ldap_connect($hostname, $port_num); | |
# Protocol version 3 and no referrals are required for AD | |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); | |
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); | |
# Bind to LDAP | |
echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL; | |
$bind_result = ldap_bind($ldap, $username, $password); | |
if (!$bind_result) { | |
echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL; | |
exit(100); | |
} | |
# Perform search | |
echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL; | |
$results = ldap_search($ldap, $base_dn, $search); | |
if (!$results) { | |
echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL; | |
exit(200); | |
} | |
# Output results | |
echo "Got results fro LDAP search..." . PHP_EOL; | |
print_r(ldap_get_entries($ldap, $results)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/php | |
<?php | |
// USAGE: test-ldap.php <username> | |
// This will check the given <username> for access and group membership. The <username> is required. | |
// Note that the username and password used for the bind() operation is defined as a constant and is not | |
// necessarily the same as the username given as argument to the script. | |
// These constants need values which are environment-specific. | |
define('HOSTNAME', ''); // This was a normal FQHN, e.g. "server.domain.org.au" | |
define('USERNAME', ''); // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs" | |
define('PASSWORD', ''); // Plain text password, e.g. "password" | |
define('BASE_DN', ''); // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au" | |
define('USER_OU', ''); // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany" | |
define('GROUP_DN', ''); // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au" | |
define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName" | |
$ldap = ldap_connect(HOSTNAME); | |
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); | |
if (!ldap_bind($ldap, USERNAME, PASSWORD)) { | |
ldap_unbind($ldap); | |
die('Authentication error' . PHP_EOL); | |
} | |
$search = sprintf('%s,%s', USER_OU, BASE_DN); | |
$filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : '')); | |
$results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' )); | |
if (!$results) { | |
ldap_unbind($ldap); | |
die('Search error' . PHP_EOL); | |
} | |
$entry = ldap_first_entry($ldap, $results); | |
if (!$entry) { | |
ldap_unbind($ldap); | |
die('No results found' . PHP_EOL); | |
} | |
$attrs = ldap_get_attributes($ldap, $entry); | |
echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL; | |
$keys = array_filter(array_keys($attrs), function ($item) { | |
return !is_numeric($item); | |
}); | |
sort($keys); | |
print_r($keys); | |
print_r($attrs['memberOf']); | |
$groups = explode('|', GROUP_DN); | |
$match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0; | |
echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL; | |
ldap_unbind($ldap); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment