我正在尝试为Intranet用户创建简单的登录页面以登录并获得有用链接的网页。登录使用PHP和LDAP身份验证登录,但失败。
authenticate.php文件验证其登录并验证它们是AD中安全组的成员以获得访问权限。下面是我的index.php文件,它提示用户输入域名用户名和密码:
的index.php
<?php
include("authenticate.php");
// check to see if user is logging out
if(isset($_GET['out'])) {
// destroy session
session_unset();
$_SESSION = array();
unset($_SESSION['user'],$_SESSION['access']);
session_destroy();
}
// check to see if login form has been submitted
if(isset($_POST['userLogin'])){
// run information through authenticator
if(authenticate($_POST['userLogin'],$_POST['userPassword']))
{
// authentication passed
header("Location: userpage.php");
echo "Pass";
echo $_POST['userLogin'];
} else {
// authentication failed
$error = 1;
}
}
echo "$error";
// output error to user
if($error) echo "Login failed: Incorrect user name, password, or rights<br /-->";
// output logout success
if(isset($_GET['out'])) echo "Logout successful";
?>
<html>
<form action="index.php" method="post">
User: <input type="text" name="userLogin" /><br />
Password: <input type="password" name="userPassword" />
<input type="submit" name="submit" value="Submit" />
</form>
</html>
这是我的authenticate.php文件,用于验证用户登录:
authenticate.php (出于安全目的移除了变量。)
<?php
session_start();
function authenticate($user, $password) {
// Active Directory server
$ldap_host = "FQDN of Domain Controller";
// Active Directory DN
$ldap_dn = "OU=Name of OU w/ Groups,DC=something,DC=something";
// Active Directory user group
$ldap_user_group = "Usergroup";
// Active Directory manager group
$ldap_manager_group = "Managergroup";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@some.thing";
// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof","givenname");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
$givenname = $entries[0]['givenname'];
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
$_SESSION['givenname'] = $givenname;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
}
?>
当我尝试登录时,我总是收到此错误:
1Loginfailed:用户名,密码或权限不正确
我尝试回显ldap_get_entries()函数的结果,并返回以下内容:
entries = Array ( [0] =&gt; 0 )
关于我在哪里出错的任何想法?任何帮助都非常感谢,并提前感谢!
答案 0 :(得分:0)
如果这是您的实际文件,问题是:
// Active Directory server
$ldap_host = "FQDN of Domain Controller";
// Active Directory DN
$ldap_dn = "OU=Name of OU w/ Groups,DC=something,DC=something";
// Active Directory user group
$ldap_user_group = "Usergroup";
// Active Directory manager group
$ldap_manager_group = "Managergroup";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@some.thing";
您应该为这些变量分配正确的值。
答案 1 :(得分:0)
这是有效用户到活动目录的简单php ldap连接。
BIND之前:
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);版本3与活动目录通信,
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);关闭推荐处理。
<?php
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);
$domain = 'testdomain.com';
$username = 'Administrator';
$password = 'Admin@1234';
$ldapconfig['host'] = '192.168.1.189';
$ldapconfig['port'] = 389;
$ldapconfig['basedn'] = 'DC=testdomain,DC=com';
$ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$dn=$ldapconfig['basedn'];
$bind=ldap_bind($ds, $username .'@' .$domain, $password);
$attr = array("memberof","givenname");
$isITuser = ldap_search($ds,$dn,"(sAMAccountName=" . $username. ")" ,$attr);
$data = ldap_get_entries($ds,$isITuser);
echo $data['count']." entry found ";
echo "<pre>";
print_r($data);
if ($isITuser) {
echo("Login correct");
} else {
echo("Login incorrect");
}
?>