feat: use a service account to permit read only checks like for auth
This commit is contained in:
Morph01
@@ -2,45 +2,61 @@
|
||||
class LDAPAuth
|
||||
{
|
||||
private $ldap_server;
|
||||
private $domain;
|
||||
private $FISA;
|
||||
private $admin;
|
||||
private $service_dn;
|
||||
private $service_pwd;
|
||||
private $ad;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->ldap_server = 'ldap://intranet.epul3a.local';
|
||||
$this->domain = 'intranet.epul3a.local';
|
||||
$this->FISA = 'OU=3AFISA,DC=epul3a,DC=local';
|
||||
$this->admin = 'CN=Users,DC=epul3a,DC=local';
|
||||
$this->service_dn = 'CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local';
|
||||
$this->service_pwd = 'Test@123';
|
||||
}
|
||||
|
||||
public function connect()
|
||||
{
|
||||
$this->ad = ldap_connect($this->ldap_server)
|
||||
or die("Impossible de se connecter au LDAP");
|
||||
or die("❌ Impossible de se connecter au LDAP");
|
||||
|
||||
ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0);
|
||||
}
|
||||
|
||||
public function authenticate($user_pseudo, $user_password)
|
||||
public function getUserDN($sAMAccountName)
|
||||
{
|
||||
$this->connect();
|
||||
|
||||
$ldap_user_3afisa = "CN=$user_pseudo,$this->FISA";
|
||||
$ldap_user_admin = "CN=$user_pseudo,$this->admin";
|
||||
|
||||
$bind_3afisa = @ldap_bind($this->ad, $ldap_user_3afisa, $user_password);
|
||||
$bind_admin = false;
|
||||
|
||||
if (!$bind_3afisa) {
|
||||
$bind_admin = @ldap_bind($this->ad, $ldap_user_admin, $user_password);
|
||||
// Connexion avec le compte service
|
||||
if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
|
||||
die("❌ Erreur de connexion avec svc_ldap_read : " . ldap_error($this->ad));
|
||||
}
|
||||
|
||||
if ($bind_3afisa || $bind_admin) {
|
||||
return ['success' => true, 'is_admin' => $bind_admin];
|
||||
// 🔥 Utilisation correcte du sAMAccountName (alias de connexion)
|
||||
$search_base = "DC=epul3a,DC=local";
|
||||
$search_filter = "(sAMAccountName=$sAMAccountName)"; // 🔥 Remplace ici
|
||||
$search_result = ldap_search($this->ad, $search_base, $search_filter);
|
||||
$entries = ldap_get_entries($this->ad, $search_result);
|
||||
|
||||
if ($entries["count"] > 0) {
|
||||
return $entries[0]["dn"]; // ✅ Retourne le DN correct
|
||||
}
|
||||
return ['success' => false];
|
||||
|
||||
return false; // ❌ Utilisateur non trouvé
|
||||
}
|
||||
|
||||
public function authenticate($sAMAccountName, $user_password)
|
||||
{
|
||||
$user_dn = $this->getUserDN($sAMAccountName);
|
||||
if (!$user_dn) {
|
||||
return ['success' => false, 'message' => 'Utilisateur introuvable'];
|
||||
}
|
||||
|
||||
// Tentative de connexion avec le DN récupéré
|
||||
if (@ldap_bind($this->ad, $user_dn, $user_password)) {
|
||||
return ['success' => true, 'dn' => $user_dn];
|
||||
}
|
||||
|
||||
return ['success' => false, 'message' => 'Échec d\'authentification'];
|
||||
}
|
||||
|
||||
public function close()
|
||||
|
||||
Reference in New Issue
Block a user