rhukster · May 5, 2018 04:36
diff --git a/test-ldap-2.php b/test-ldap-2.php
 #!/usr/bin/php
 <?php

 # Parse options
 $opts = getopt('h:n:u:p:b:s:', array( 'help' ));

 if (isset($opts['help']) && $opts['help']) {
 	echo <<<ENDHELP
 Usage:
    $argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH]
 Where:
    HOSTNAME is the LDAP hostname to connect to; omit to use default (pool.ldap.csiro.au)
    PORTNUM is the port number to connect to; omit to use default (389)
    USERNAME is the username passed to ldap_bind(); omit to bind anonymously
    PASSWORD is the password passed to ldap_bind(); omit to bind without a password
    BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au)
    SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392)
 ENDHELP
 ;
 	exit(0);
 }

 # Extract options into variables
 $hostname = isset($opts['h']) ? $opts['h'] : 'pool.ldap.csiro.au';
 $port_num = isset($opts['n']) ? intval($opts['n']) : 389;
 $username = isset($opts['u']) ? $opts['u'] : null;
 $password = isset($opts['p']) ? $opts['p'] : null;
 $base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au';
 $search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392';

 # Connect to LDAP
 echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL;
 $ldap = ldap_connect($hostname, $port_num);

 # Protocol version 3 and no referrals are required for AD
 ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
 ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

 # Bind to LDAP
 echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL;
 $bind_result = ldap_bind($ldap, $username, $password);
 if (!$bind_result) {
 	echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL;
 	exit(100);
 }

 # Perform search
 echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL;
 $results = ldap_search($ldap, $base_dn, $search);
 if (!$results) {
 	echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL;
 	exit(200);
 }

 # Output results
 echo "Got results fro LDAP search..." . PHP_EOL;
 print_r(ldap_get_entries($ldap, $results));
diff --git a/test-ldap.php b/test-ldap.php
 #!/usr/bin/php
 <?php
 // USAGE: test-ldap.php <username>
 // This will check the given <username> for access and group membership.  The <username> is required.
 // Note that the username and password used for the bind() operation is defined as a constant and is not
 // necessarily the same as the username given as argument to the script.

 // These constants need values which are environment-specific.
 define('HOSTNAME', '');  // This was a normal FQHN, e.g. "server.domain.org.au"
 define('USERNAME', '');  // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs"
 define('PASSWORD', '');  // Plain text password, e.g. "password"
 define('BASE_DN', '');   // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au"
 define('USER_OU', '');   // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany"
 define('GROUP_DN', '');  // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au"
 define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName"

 $ldap = ldap_connect(HOSTNAME);
 ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

 if (!ldap_bind($ldap, USERNAME, PASSWORD)) {
 	ldap_unbind($ldap);
 	die('Authentication error' . PHP_EOL);
 }

 $search = sprintf('%s,%s', USER_OU, BASE_DN);
 $filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : ''));
 $results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' ));
 if (!$results) {
 	ldap_unbind($ldap);
 	die('Search error' . PHP_EOL);
 }

 $entry = ldap_first_entry($ldap, $results);
 if (!$entry) {
 	ldap_unbind($ldap);
 	die('No results found' . PHP_EOL);
 }

 $attrs = ldap_get_attributes($ldap, $entry);

 echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL;

 $keys = array_filter(array_keys($attrs), function ($item) {
 	return !is_numeric($item);
 });
 sort($keys);
 print_r($keys);

 print_r($attrs['memberOf']);
 $groups = explode('|', GROUP_DN);
 $match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0;
 echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL;

 ldap_unbind($ldap);
	#!/usr/bin/php
	<?php

	# Parse options
	$opts = getopt('h:n:u:p:b:s:', array( 'help' ));

	if (isset($opts['help']) && $opts['help']) {
	echo <<<ENDHELP
	Usage:
	$argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH]
	Where:
	HOSTNAME is the LDAP hostname to connect to; omit to use default (pool.ldap.csiro.au)
	PORTNUM is the port number to connect to; omit to use default (389)
	USERNAME is the username passed to ldap_bind(); omit to bind anonymously
	PASSWORD is the password passed to ldap_bind(); omit to bind without a password
	BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au)
	SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392)
	ENDHELP
	;
	exit(0);
	}

	# Extract options into variables
	$hostname = isset($opts['h']) ? $opts['h'] : 'pool.ldap.csiro.au';
	$port_num = isset($opts['n']) ? intval($opts['n']) : 389;
	$username = isset($opts['u']) ? $opts['u'] : null;
	$password = isset($opts['p']) ? $opts['p'] : null;
	$base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au';
	$search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392';

	# Connect to LDAP
	echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL;
	$ldap = ldap_connect($hostname, $port_num);

	# Protocol version 3 and no referrals are required for AD
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

	# Bind to LDAP
	echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL;
	$bind_result = ldap_bind($ldap, $username, $password);
	if (!$bind_result) {
	echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(100);
	}

	# Perform search
	echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL;
	$results = ldap_search($ldap, $base_dn, $search);
	if (!$results) {
	echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(200);
	}

	# Output results
	echo "Got results fro LDAP search..." . PHP_EOL;
	print_r(ldap_get_entries($ldap, $results));
	#!/usr/bin/php
	<?php
	// USAGE: test-ldap.php <username>
	// This will check the given <username> for access and group membership. The <username> is required.
	// Note that the username and password used for the bind() operation is defined as a constant and is not
	// necessarily the same as the username given as argument to the script.

	// These constants need values which are environment-specific.
	define('HOSTNAME', ''); // This was a normal FQHN, e.g. "server.domain.org.au"
	define('USERNAME', ''); // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs"
	define('PASSWORD', ''); // Plain text password, e.g. "password"
	define('BASE_DN', ''); // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au"
	define('USER_OU', ''); // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany"
	define('GROUP_DN', ''); // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au\|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au"
	define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName"

	$ldap = ldap_connect(HOSTNAME);
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

	if (!ldap_bind($ldap, USERNAME, PASSWORD)) {
	ldap_unbind($ldap);
	die('Authentication error' . PHP_EOL);
	}

	$search = sprintf('%s,%s', USER_OU, BASE_DN);
	$filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : ''));
	$results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' ));
	if (!$results) {
	ldap_unbind($ldap);
	die('Search error' . PHP_EOL);
	}

	$entry = ldap_first_entry($ldap, $results);
	if (!$entry) {
	ldap_unbind($ldap);
	die('No results found' . PHP_EOL);
	}

	$attrs = ldap_get_attributes($ldap, $entry);

	echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL;

	$keys = array_filter(array_keys($attrs), function ($item) {
	return !is_numeric($item);
	});
	sort($keys);
	print_r($keys);

	print_r($attrs['memberOf']);
	$groups = explode('\|', GROUP_DN);
	$match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0;
	echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL;

	ldap_unbind($ldap);