Morph01/PHP-LDAP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: use a service account to permit read only checks like for auth

Browse Source
This commit is contained in:
Morph01
2025-02-04 11:51:42 -08:00
parent 986b72a2cb
commit 0b83f35f1b
8 changed files with 122 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
controllers/add_user.php
View File

@@ -30,7 +30,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local"; $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) { if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn)); die("Could not bind to LDAP server: " . ldap_error($ldapconn));

6
controllers/auth.php
View File

@@ -13,15 +13,15 @@ class AuthController
public function login() public function login()
{ {
if (isset($_POST['user_pseudo']) && isset($_POST['user_password'])) { if (isset($_POST['sAMAccountName']) && isset($_POST['user_password'])) {
$result = $this->auth_model->authenticate( $result = $this->auth_model->authenticate(
$_POST['user_pseudo'], $_POST['sAMAccountName'],
$_POST['user_password'] $_POST['user_password']
); );
if ($result['success']) { if ($result['success']) {
$_SESSION['login'] = true; $_SESSION['login'] = true;
$_SESSION['user_pseudo'] = $_POST['user_pseudo']; $_SESSION['sAMAccountName'] = $_POST['sAMAccountName'];
$_SESSION['is_admin'] = $result['is_admin']; $_SESSION['is_admin'] = $result['is_admin'];
$_SESSION['password'] = $_POST['user_password']; $_SESSION['password'] = $_POST['user_password'];
header('Location: /index.php'); header('Location: /index.php');

50
controllers/controllerAdmin.php
View File

@@ -5,7 +5,7 @@ function listAllOU()
session_start(); session_start();
} }
if (!isset($_SESSION['user_pseudo'])) { if (!isset($_SESSION['sAMAccountName'])) {
die("Nom utilisateur manquant. Veuillez vous reconnecter."); die("Nom utilisateur manquant. Veuillez vous reconnecter.");
} }
@@ -15,7 +15,7 @@ function listAllOU()
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local"; $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) { if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn)); die("Could not bind to LDAP server: " . ldap_error($ldapconn));
@@ -57,7 +57,7 @@ function listAllUsers()
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local"; $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) { if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn)); die("Could not bind to LDAP server: " . ldap_error($ldapconn));
@@ -90,3 +90,47 @@ function listAllUsers()
ldap_close($ldapconn); ldap_close($ldapconn);
return $users; // Retourner le tableau des utilisateurs return $users; // Retourner le tableau des utilisateurs
} }
function getUserOU($username)
{
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
$ldapServer = "ldap://intranet.epul3a.local";
$ldapUser = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
$ldapPassword = $_SESSION['password'];
$ldapconn = ldap_connect($ldapServer) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if (!@ldap_bind($ldapconn, $ldapUser, $ldapPassword)) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn));
}
$searchBase = "DC=epul3a,DC=local";
$filter = "(sAMAccountName=$username)";
$attributes = ["distinguishedName"];
$result = @ldap_search($ldapconn, $searchBase, $filter, $attributes);
if ($result) {
$entries = ldap_get_entries($ldapconn, $result);
if ($entries['count'] > 0) {
$dn = $entries[0]['distinguishedname'][0];
// Extraire l'OU du DN
preg_match('/OU=([^,]+)/', $dn, $matches);
$ou = isset($matches[1]) ? $matches[1] : null;
ldap_close($ldapconn);
return $ou;
}
} else {
echo "Error: " . ldap_error($ldapconn);
}
ldap_close($ldapconn);
return null;
}

54
models/LDAPAuth.php
View File

@@ -2,45 +2,61 @@
class LDAPAuth class LDAPAuth
{ {
private $ldap_server; private $ldap_server;
private $domain; private $service_dn;
private $FISA; private $service_pwd;
private $admin;
private $ad; private $ad;
public function __construct() public function __construct()
{ {
$this->ldap_server = 'ldap://intranet.epul3a.local'; $this->ldap_server = 'ldap://intranet.epul3a.local';
$this->domain = 'intranet.epul3a.local'; $this->service_dn = 'CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local';
$this->FISA = 'OU=3AFISA,DC=epul3a,DC=local'; $this->service_pwd = 'Test@123';
$this->admin = 'CN=Users,DC=epul3a,DC=local';
} }
public function connect() public function connect()
{ {
$this->ad = ldap_connect($this->ldap_server) $this->ad = ldap_connect($this->ldap_server)
or die("Impossible de se connecter au LDAP"); or die("Impossible de se connecter au LDAP");
ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0); ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0);
} }
public function authenticate($user_pseudo, $user_password) public function getUserDN($sAMAccountName)
{ {
$this->connect(); $this->connect();
$ldap_user_3afisa = "CN=$user_pseudo,$this->FISA"; // Connexion avec le compte service
$ldap_user_admin = "CN=$user_pseudo,$this->admin"; if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
die("❌ Erreur de connexion avec svc_ldap_read : " . ldap_error($this->ad));
$bind_3afisa = @ldap_bind($this->ad, $ldap_user_3afisa, $user_password);
$bind_admin = false;
if (!$bind_3afisa) {
$bind_admin = @ldap_bind($this->ad, $ldap_user_admin, $user_password);
} }
if ($bind_3afisa || $bind_admin) { // 🔥 Utilisation correcte du sAMAccountName (alias de connexion)
return ['success' => true, 'is_admin' => $bind_admin]; $search_base = "DC=epul3a,DC=local";
$search_filter = "(sAMAccountName=$sAMAccountName)"; // 🔥 Remplace ici
$search_result = ldap_search($this->ad, $search_base, $search_filter);
$entries = ldap_get_entries($this->ad, $search_result);
if ($entries["count"] > 0) {
return $entries[0]["dn"]; // ✅ Retourne le DN correct
} }
return ['success' => false];
return false; // ❌ Utilisateur non trouvé
}
public function authenticate($sAMAccountName, $user_password)
{
$user_dn = $this->getUserDN($sAMAccountName);
if (!$user_dn) {
return ['success' => false, 'message' => 'Utilisateur introuvable'];
}
// Tentative de connexion avec le DN récupéré
if (@ldap_bind($this->ad, $user_dn, $user_password)) {
return ['success' => true, 'dn' => $user_dn];
}
return ['success' => false, 'message' => 'Échec d\'authentification'];
} }
public function close() public function close()

30
test.php
View File

@@ -1,13 +1,31 @@
<?php <?php
$ldapconn = ldap_connect("ldap://intranet.epul3a.local"); $ldap_server = 'ldap://intranet.epul3a.local';
$service_dn = "CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local";
$service_pwd = "Test@123";
$ldapconn = ldap_connect($ldap_server);
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$user_dn = "CN=Ali Gathor,OU=3AFISA,DC=epul3a,DC=local"; if (@ldap_bind($ldapconn, $service_dn, $service_pwd)) {
$password = "Test@123"; // Remplace avec un vrai mot de passe de test echo "✅ Connexion réussie avec svc_ldap_read !";
if (@ldap_bind($ldapconn, $user_dn, $password)) {
echo "✅ Connexion réussie !";
} else { } else {
echo "❌ Erreur de connexion : " . ldap_error($ldapconn); echo "❌ Erreur de connexion : " . ldap_error($ldapconn);
} }
ldap_close($ldapconn);
// === TEST ===
require_once __DIR__ . '/models/LDAPAuth.php';
$ldap = new LDAPAuth();
$result = $ldap->authenticate("a.gathor", "Test@123");
if ($result['success']) {
echo "✅ Authentification réussie pour " . $result['dn'];
} else {
echo "" . $result['message'];
}
$ldap->close();

4
views/auth.php
View File

@@ -9,8 +9,8 @@
<body> <body>
<form method="post" action="index.php?action=login"> <form method="post" action="index.php?action=login">
<label for="user_pseudo">Votre identifiant:</label> <label for="sAMAccountName">Votre identifiant (sAMAccountName):</label>
<input type="text" id="user_pseudo" name="user_pseudo" required><br> <input type="text" id="sAMAccountName" name="sAMAccountName" required><br>
<label for="user_password">Votre mot de passe:</label> <label for="user_password">Votre mot de passe:</label>
<input type="password" id="user_password" name="user_password" required><br> <input type="password" id="user_password" name="user_password" required><br>

2
views/delete_user.php
View File

@@ -34,7 +34,7 @@ function deleteUser($user_dn)
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['user_pseudo'] . ",CN=Users,DC=epul3a,DC=local"; $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) { if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn)); die("Could not bind to LDAP server: " . ldap_error($ldapconn));

11
views/menu.php
View File

@@ -7,9 +7,9 @@ if (!isset($_SESSION["login"]) || $_SESSION["login"] !== true) {
require_once __DIR__ . '/../controllers/controllerAdmin.php'; require_once __DIR__ . '/../controllers/controllerAdmin.php';
// Récupérer les infos de l'utilisateur // Récupérer les infos de l'utilisateur
// $user_info = getUserByPseudo($_SESSION["user_pseudo"]); // $user_info = getUserByPseudo($_SESSION["sAMAccountName"]);
echo "Bienvenue " . $_SESSION["user_pseudo"] . "!"; echo "Bienvenue " . $_SESSION["sAMAccountName"] . "!";
// Affichage du menu // Affichage du menu
echo "<h2>Menu</h2>"; echo "<h2>Menu</h2>";
@@ -20,6 +20,13 @@ if ($_SESSION["is_admin"]) {
} }
echo "</ul>"; echo "</ul>";
echo $_SESSION["sAMAccountName"];
echo $_SESSION["password"];
$ou = getUserOU($_SESSION['sAMAccountName']);
echo "L'OU de l'utilisateur est : " . ($ou ? $ou : "Non trouvé");
// Bouton de déconnexion // Bouton de déconnexion
echo "<form method='post' action='../controllers/logout.php'>"; echo "<form method='post' action='../controllers/logout.php'>";
echo "<input type='submit' value='Déconnexion'>"; echo "<input type='submit' value='Déconnexion'>";