Getting the user's Full Name from Active Direc

2020-07-27 19:38发布

站内文章 / PHP
144 0 0

问题:

I have a login page that uses PHP/LDAP for my users to access a company website. Below, I created a statement that stores the user's AD group membership in a variable, to be used later to redirect depending what membership the user has in AD>

Now, I would now like to also add the ability to get the user's full name from Active Directory, and store this for later use. How can I modify my statement below to store the user's full name from Active Directory into another variable? Any ideas??

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
  /* I would like to get and store the user's display name here somehow */
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;

Thanks in advance for any help/suggestions!

EDIT

Here is now my full PHP page with dummy domain stuff, but I'm getting a syntax error and I can the problem :( and help or idea? Thanks Alex for the initial help !

    <?php
function authenticate($user, $password) {
    // Active Directory server
    $ldap_host = "my FQDC DC";

    // Active Directory DN
    $ldap_dn = "DC=something,DC=something";

    // Active Directory user group
    $ldap_user_group = "WebUsers";

    // Active Directory manager group
    $ldap_manager_group = "WebManagers";

    // Domain, for purposes of constructing $user
    $ldap_usr_dom = "@mycompany.com";

// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}

?>

回答1:

Try this:

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}


回答2:

Hope this helps. When you read from ldap you can see fields and map them to some session variable. 

$connect = @ldap_connect(LDAP_ADDRESS);
    if (!$connect) return FALSE;

    $bind = @ldap_bind($connect);
    if (!$bind) return FALSE;

    if ($resource = @ldap_search($connect,"dc=<yourdc>,dc=<yourdc>","uid=$user")) {

        if (@ldap_count_entries($connect,$resource) == 1) {

            if ($entry = @ldap_first_entry($connect,$resource)) {

                if ($user_dn = @ldap_get_dn($connect,$entry)) {

                    if ($link = @ldap_bind($connect,$user_dn,$password)) {

                        $_SESSION['user'] = $user;

                    }
                }
            }
        }
    }

    @ldap_close($connect);


回答3:

Bumping an old thread. I needed to get given name and surname and added 'sn' to the attributes and added to the session variables for later reference in another script like this:

How I access the session variables in other scripts:

$givenname = $_SESSION['givenname'];
$surname = $_SESSION['sn'];
$name = "{$givenname} {$surname}";

Update to previous authenticate script:

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname","sn");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    $surname = $entries[0]['sn'][0];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        $_SESSION['sn'] = $surname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}


标签: php active-directory
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~