feat: use a service account to permit read only checks like for auth

controllers/add_user.php

@@ -30,7 +30,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
 
-    $ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local";
+    $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
 
     if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
         die("Could not bind to LDAP server: " . ldap_error($ldapconn));

controllers/auth.php

@@ -13,15 +13,15 @@ class AuthController
 
     public function login()
     {
-        if (isset($_POST['user_pseudo']) && isset($_POST['user_password'])) {
+        if (isset($_POST['sAMAccountName']) && isset($_POST['user_password'])) {
             $result = $this->auth_model->authenticate(
-                $_POST['user_pseudo'],
+                $_POST['sAMAccountName'],
                 $_POST['user_password']
             );
 
             if ($result['success']) {
                 $_SESSION['login'] = true;
-                $_SESSION['user_pseudo'] = $_POST['user_pseudo'];
+                $_SESSION['sAMAccountName'] = $_POST['sAMAccountName'];
                 $_SESSION['is_admin'] = $result['is_admin'];
                 $_SESSION['password'] = $_POST['user_password'];
                 header('Location: /index.php');

controllers/controllerAdmin.php

@@ -5,7 +5,7 @@ function listAllOU()
         session_start();
     }
 
-    if (!isset($_SESSION['user_pseudo'])) {
+    if (!isset($_SESSION['sAMAccountName'])) {
         die("Nom utilisateur manquant. Veuillez vous reconnecter.");
     }
 
@@ -15,7 +15,7 @@ function listAllOU()
     ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
 
-    $ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local";
+    $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
 
     if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
         die("Could not bind to LDAP server: " . ldap_error($ldapconn));
@@ -57,7 +57,7 @@ function listAllUsers()
     ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
 
-    $ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local";
+    $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
 
     if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
         die("Could not bind to LDAP server: " . ldap_error($ldapconn));
@@ -90,3 +90,47 @@ function listAllUsers()
     ldap_close($ldapconn);
     return $users; // Retourner le tableau des utilisateurs
 }
+
+function getUserOU($username)
+{
+    if (session_status() == PHP_SESSION_NONE) {
+        session_start();
+    }
+
+    $ldapServer = "ldap://intranet.epul3a.local";
+    $ldapUser = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
+    $ldapPassword = $_SESSION['password'];
+
+    $ldapconn = ldap_connect($ldapServer) or die("Could not connect to LDAP server.");
+    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
+    ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
+
+    if (!@ldap_bind($ldapconn, $ldapUser, $ldapPassword)) {
+        die("Could not bind to LDAP server: " . ldap_error($ldapconn));
+    }
+
+    $searchBase = "DC=epul3a,DC=local";
+    $filter = "(sAMAccountName=$username)";
+    $attributes = ["distinguishedName"];
+
+    $result = @ldap_search($ldapconn, $searchBase, $filter, $attributes);
+
+    if ($result) {
+        $entries = ldap_get_entries($ldapconn, $result);
+        if ($entries['count'] > 0) {
+            $dn = $entries[0]['distinguishedname'][0];
+
+            // Extraire l'OU du DN
+            preg_match('/OU=([^,]+)/', $dn, $matches);
+            $ou = isset($matches[1]) ? $matches[1] : null;
+
+            ldap_close($ldapconn);
+            return $ou;
+        }
+    } else {
+        echo "Error: " . ldap_error($ldapconn);
+    }
+
+    ldap_close($ldapconn);
+    return null;
+}

models/LDAPAuth.php

@@ -2,45 +2,61 @@
 class LDAPAuth
 {
     private $ldap_server;
-    private $domain;
-    private $FISA;
-    private $admin;
+    private $service_dn;
+    private $service_pwd;
     private $ad;
 
     public function __construct()
     {
         $this->ldap_server = 'ldap://intranet.epul3a.local';
-        $this->domain = 'intranet.epul3a.local';
-        $this->FISA = 'OU=3AFISA,DC=epul3a,DC=local';
-        $this->admin = 'CN=Users,DC=epul3a,DC=local';
+        $this->service_dn = 'CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local';
+        $this->service_pwd = 'Test@123';
     }
 
     public function connect()
     {
         $this->ad = ldap_connect($this->ldap_server)
-            or die("Impossible de se connecter au LDAP");
+            or die("❌ Impossible de se connecter au LDAP");
+
         ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3);
         ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0);
     }
 
-    public function authenticate($user_pseudo, $user_password)
+    public function getUserDN($sAMAccountName)
     {
         $this->connect();
 
-        $ldap_user_3afisa = "CN=$user_pseudo,$this->FISA";
-        $ldap_user_admin = "CN=$user_pseudo,$this->admin";
-
-        $bind_3afisa = @ldap_bind($this->ad, $ldap_user_3afisa, $user_password);
-        $bind_admin = false;
-
-        if (!$bind_3afisa) {
-            $bind_admin = @ldap_bind($this->ad, $ldap_user_admin, $user_password);
+        // Connexion avec le compte service
+        if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
+            die("❌ Erreur de connexion avec svc_ldap_read : " . ldap_error($this->ad));
         }
 
-        if ($bind_3afisa || $bind_admin) {
-            return ['success' => true, 'is_admin' => $bind_admin];
+        // 🔥 Utilisation correcte du sAMAccountName (alias de connexion)
+        $search_base = "DC=epul3a,DC=local";
+        $search_filter = "(sAMAccountName=$sAMAccountName)";  // 🔥 Remplace ici
+        $search_result = ldap_search($this->ad, $search_base, $search_filter);
+        $entries = ldap_get_entries($this->ad, $search_result);
+
+        if ($entries["count"] > 0) {
+            return $entries[0]["dn"];  // ✅ Retourne le DN correct
         }
-        return ['success' => false];
+
+        return false;  // ❌ Utilisateur non trouvé
+    }
+
+    public function authenticate($sAMAccountName, $user_password)
+    {
+        $user_dn = $this->getUserDN($sAMAccountName);
+        if (!$user_dn) {
+            return ['success' => false, 'message' => 'Utilisateur introuvable'];
+        }
+
+        // Tentative de connexion avec le DN récupéré
+        if (@ldap_bind($this->ad, $user_dn, $user_password)) {
+            return ['success' => true, 'dn' => $user_dn];
+        }
+
+        return ['success' => false, 'message' => 'Échec d\'authentification'];
     }
 
     public function close()

test.php

@@ -1,13 +1,31 @@
 <?php
-$ldapconn = ldap_connect("ldap://intranet.epul3a.local");
+$ldap_server = 'ldap://intranet.epul3a.local';
+$service_dn = "CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local";
+
+
+$service_pwd = "Test@123";
+
+$ldapconn = ldap_connect($ldap_server);
 ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
 ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
 
-$user_dn = "CN=Ali Gathor,OU=3AFISA,DC=epul3a,DC=local";
-$password = "Test@123";  // Remplace avec un vrai mot de passe de test
-
-if (@ldap_bind($ldapconn, $user_dn, $password)) {
-    echo "✅ Connexion réussie !";
+if (@ldap_bind($ldapconn, $service_dn, $service_pwd)) {
+    echo "✅ Connexion réussie avec svc_ldap_read !";
 } else {
     echo "❌ Erreur de connexion : " . ldap_error($ldapconn);
 }
+
+ldap_close($ldapconn);
+
+// === TEST ===
+require_once __DIR__ . '/models/LDAPAuth.php';
+$ldap = new LDAPAuth();
+$result = $ldap->authenticate("a.gathor", "Test@123");
+
+if ($result['success']) {
+    echo "✅ Authentification réussie pour " . $result['dn'];
+} else {
+    echo "❌ " . $result['message'];
+}
+
+$ldap->close();

views/auth.php

@@ -9,8 +9,8 @@
 
 <body>
     <form method="post" action="index.php?action=login">
-        <label for="user_pseudo">Votre identifiant:</label>
-        <input type="text" id="user_pseudo" name="user_pseudo" required><br>
+        <label for="sAMAccountName">Votre identifiant (sAMAccountName):</label>
+        <input type="text" id="sAMAccountName" name="sAMAccountName" required><br>
 
         <label for="user_password">Votre mot de passe:</label>
         <input type="password" id="user_password" name="user_password" required><br>

views/delete_user.php

@@ -34,7 +34,7 @@ function deleteUser($user_dn)
     ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
     ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
 
-    $ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local";
+    $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
 
     if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
         die("Could not bind to LDAP server: " . ldap_error($ldapconn));

views/menu.php

@@ -7,9 +7,9 @@ if (!isset($_SESSION["login"]) || $_SESSION["login"] !== true) {
 require_once __DIR__ . '/../controllers/controllerAdmin.php';
 
 // Récupérer les infos de l'utilisateur
-// $user_info = getUserByPseudo($_SESSION["user_pseudo"]);
+// $user_info = getUserByPseudo($_SESSION["sAMAccountName"]);
 
-echo "Bienvenue " . $_SESSION["user_pseudo"] . "!";
+echo "Bienvenue " . $_SESSION["sAMAccountName"] . "!";
 
 // Affichage du menu
 echo "<h2>Menu</h2>";
@@ -20,6 +20,13 @@ if ($_SESSION["is_admin"]) {
 }
 echo "</ul>";
 
+echo $_SESSION["sAMAccountName"];
+echo $_SESSION["password"];
+
+
+$ou = getUserOU($_SESSION['sAMAccountName']);
+echo "L'OU de l'utilisateur est : " . ($ou ? $ou : "Non trouvé");
+
 // Bouton de déconnexion
 echo "<form method='post' action='../controllers/logout.php'>";
 echo "<input type='submit' value='Déconnexion'>";