I have a question regarding user membership of groups in Active directory and grabbing such memberships with PHP. My big question/situation is that I have a site I am making and essentially I am trying to assign administrators based off of groups in Active directory and I know how to check member of status on an account but my problem is that there are some groups that aren't displayed there, and one of the groups that is not displayed is the group I need. Is there a way I can check who is a member of that group instead of checking if that user is a member of that group. Alternatively if someone knows why certain groups are not appearing in my search I would perfer to search membership that way because then it would be a simple logic statement to check if the user is in that group, my code is below and it does work but as I said there are certain groups that don't appear and I think I read somewhere about how membership is stored and also if it is a direct membership or if you are a member of a group that is a member of another group. One group that we use as our default group is Domain users but no one has that in there memberOf array even though that group's membership is direct as in the members of that group are all users not other security groups containing the users.
Code:
<?php
$ldap = ldap_connect("192.168.1.**");
$ldap_dn = "DC=************,DC=local";
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option( $ldap, LDAP_OPT_PROTOCOL_VERSION, 3 );
$access = NULL;
if ($bind = ldap_bind($ldap, "***********\\" . $_POST['username'], $_POST['password'])) {
$filter = "(sAMAccountName=" . $_POST['username'] . ")";
$attr = array("memberof","givenname","sn","mail");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
$givenname = $entries[0]['givenname'][0] . " " . $entries[0]['sn'][0];
ldap_unbind($ldap);
//var_dump($entries[0]["sn"][0]);
//var_dump($givenname);
//var_dump($entries[0]);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
//if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
//var_dump($grps);
if (strpos($grps, "****** * *** *****")) $access = "****** *";
if (strpos($grps, "*** Group")) $access = "***";
if (strpos($grps, "*** Group")) $access = "***";
if (strpos($grps, "***")) $access = "***";
if (strpos($grps, "*** Group")) $access = "***";
if (strpos($grps, "***")) $access = "***";
}
if ($access != NULL) {
// establish session variables
$_SESSION['user'] = $_POST['username'];
$_SESSION['access'] = $access;
$_SESSION['givenname'] = $givenname;
$_SESSION['email'] = $entries[0]['mail'][0];
return true;
} else {
//echo "No rights?";
// user has no rights
return false;
}
} else {
//header("Location: login.php?Error=Invalid Identity");
echo "Elese Here";
}
?>