From 3b1e132010740fbbdf644a874cbdc6b4d6526160 Mon Sep 17 00:00:00 2001 From: Morph01 Date: Tue, 4 Feb 2025 13:14:38 -0800 Subject: [PATCH] feat: enhance admin session management and display accessible OUs in menu --- controllers/auth.php | 2 +- controllers/controllerAdmin.php | 134 ++------------------------- models/LDAPAuth.php | 159 +++++++++++++++++++++++++++++++- views/menu.php | 21 ++++- 4 files changed, 184 insertions(+), 132 deletions(-) diff --git a/controllers/auth.php b/controllers/auth.php index 97d4d5b..213f7ff 100644 --- a/controllers/auth.php +++ b/controllers/auth.php @@ -1,5 +1,4 @@ 0) { - foreach ($entries as $key => $entry) { - if (is_numeric($key)) { - $ous[] = $entry; // Ajouter chaque OU au tableau - } - } - } - } else { - echo "Error: " . ldap_error($ldapconn); - } - - ldap_close($ldapconn); - return $ous; // Retourner le tableau des OUs + $ldapAuth = new LDAPAuth(); + return $ldapAuth->listAllOU(); } function listAllUsers() { - if (session_status() == PHP_SESSION_NONE) { - session_start(); - } - - $ldapconn = ldap_connect("ldap://intranet.epul3a.local") - or die("Could not connect to LDAP server."); - - ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); - ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); - - $ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local"; - - if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) { - die("Could not bind to LDAP server: " . ldap_error($ldapconn)); - } - - $searchBase = "DC=epul3a,DC=local"; - $filter = "(objectClass=user)"; - $attributes = array("cn", "sn", "givenName", "mail", "distinguishedName"); - - $result = @ldap_search($ldapconn, $searchBase, $filter, $attributes); - - $users = []; - if ($result) { - $entries = ldap_get_entries($ldapconn, $result); - if ($entries['count'] > 0) { - foreach ($entries as $key => $entry) { - if (is_numeric($key)) { - // Extraire l'OU du DN - preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches); - $ou = isset($matches[1]) ? $matches[1] : 'Users'; - $entry['ou'] = $ou; // Ajouter l'OU à l'entrée de l'utilisateur - $users[] = $entry; // Ajouter chaque utilisateur au tableau - } - } - } - } else { - echo "Error: " . ldap_error($ldapconn); - } - - ldap_close($ldapconn); - return $users; // Retourner le tableau des utilisateurs + $ldapAuth = new LDAPAuth(); + return $ldapAuth->listAllUsers(); } function getUserOU($username) { - if (session_status() == PHP_SESSION_NONE) { - session_start(); - } - - $ldapServer = "ldap://intranet.epul3a.local"; - $ldapUser = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local"; - $ldapPassword = $_SESSION['password']; - - $ldapconn = ldap_connect($ldapServer) or die("Could not connect to LDAP server."); - ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); - ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); - - if (!@ldap_bind($ldapconn, $ldapUser, $ldapPassword)) { - die("Could not bind to LDAP server: " . ldap_error($ldapconn)); - } - - $searchBase = "DC=epul3a,DC=local"; - $filter = "(sAMAccountName=$username)"; - $attributes = ["distinguishedName"]; - - $result = @ldap_search($ldapconn, $searchBase, $filter, $attributes); - - if ($result) { - $entries = ldap_get_entries($ldapconn, $result); - if ($entries['count'] > 0) { - $dn = $entries[0]['distinguishedname'][0]; - - // Extraire l'OU du DN - preg_match('/OU=([^,]+)/', $dn, $matches); - $ou = isset($matches[1]) ? $matches[1] : null; - - ldap_close($ldapconn); - return $ou; - } - } else { - echo "Error: " . ldap_error($ldapconn); - } - - ldap_close($ldapconn); - return null; -} \ No newline at end of file + $ldapAuth = new LDAPAuth(); + return $ldapAuth->getUserOU($username); +} diff --git a/models/LDAPAuth.php b/models/LDAPAuth.php index 7a07f7a..8ee9ee1 100644 --- a/models/LDAPAuth.php +++ b/models/LDAPAuth.php @@ -51,18 +51,173 @@ class LDAPAuth return ['success' => false, 'message' => 'Utilisateur introuvable']; } - // Tentative de connexion avec le DN récupéré if (@ldap_bind($this->ad, $user_dn, $user_password)) { - return ['success' => true, 'dn' => $user_dn]; + // Vérifier si l'utilisateur est un administrateur + $is_admin = $this->isUserAdmin($user_dn); + // Récupérer les OUs sur lesquelles l'utilisateur a des droits d'administration + $admin_ous = $this->getAdminOUs($user_dn); + + return [ + 'success' => true, + 'dn' => $user_dn, + 'is_admin' => $is_admin, + 'admin_ous' => $admin_ous, + ]; } return ['success' => false, 'message' => 'Échec d\'authentification']; } + private function isUserAdmin($user_dn) + { + $this->connect(); + $this->bindServiceAccount(); + + // Vérifier l'attribut adminCount + $filter = "(objectClass=user)"; + $attributes = ["adminCount"]; + + $result = ldap_read($this->ad, $user_dn, $filter, $attributes); + $entries = ldap_get_entries($this->ad, $result); + + if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) { + return true; // L'utilisateur est un administrateur + } + + // Vérifier les groupes d'administration + $admin_groups = [ + "CN=Domain Admins,CN=Users,DC=epul3a,DC=local", + "CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local", + "CN=Schema Admins,CN=Users,DC=epul3a,DC=local", + "CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local", + ]; + + foreach ($admin_groups as $admin_group_dn) { + $filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive + $attributes = ["memberOf"]; + + $result = ldap_read($this->ad, $user_dn, $filter, $attributes); + if ($result && ldap_count_entries($this->ad, $result) > 0) { + return true; // L'utilisateur appartient à un groupe d'administration + } + } + + return false; // L'utilisateur n'est pas un administrateur + } + + private function getAdminOUs($user_dn) + { + $this->connect(); + $this->bindServiceAccount(); + + // Liste des groupes administratifs et leurs OUs associées + $admin_groups_with_ous = [ + "Domain Admins" => "OU=Domain Admins,DC=epul3a,DC=local", + "Enterprise Admins" => "OU=Enterprise Admins,DC=epul3a,DC=local", + "Schema Admins" => "OU=Schema Admins,DC=epul3a,DC=local", + "Group Policy Creator Owners" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local", + ]; + + // Récupérer les groupes auxquels l'utilisateur appartient + $admin_ous = []; + foreach ($admin_groups_with_ous as $group_name => $ou) { + $filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_name)"; + $attributes = ["memberOf"]; + + $result = ldap_read($this->ad, $user_dn, $filter, $attributes); + if ($result && ldap_count_entries($this->ad, $result) > 0) { + $admin_ous[] = $ou; // Retourne l'OU associée + } + } + + return $admin_ous; + } + + + public function close() { if ($this->ad) { ldap_close($this->ad); } } + + public function bindServiceAccount() + { + if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) { + die("❌ Erreur de connexion avec le compte service : " . ldap_error($this->ad)); + } + } + + public function listAllOU() + { + $this->connect(); + $this->bindServiceAccount(); + + $searchBase = "DC=epul3a,DC=local"; + $filter = "(objectClass=organizationalUnit)"; + $attributes = ["ou", "distinguishedName"]; + + $result = ldap_search($this->ad, $searchBase, $filter, $attributes); + $entries = ldap_get_entries($this->ad, $result); + + $ous = []; + if ($entries['count'] > 0) { + foreach ($entries as $key => $entry) { + if (is_numeric($key)) { + $ous[] = $entry; + } + } + } + + return $ous; + } + + public function listAllUsers() + { + $this->connect(); + $this->bindServiceAccount(); + + $searchBase = "DC=epul3a,DC=local"; + $filter = "(objectClass=user)"; + $attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"]; + + $result = ldap_search($this->ad, $searchBase, $filter, $attributes); + $entries = ldap_get_entries($this->ad, $result); + + $users = []; + if ($entries['count'] > 0) { + foreach ($entries as $key => $entry) { + if (is_numeric($key)) { + preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches); + $ou = isset($matches[1]) ? $matches[1] : 'Users'; + $entry['ou'] = $ou; + $users[] = $entry; + } + } + } + + return $users; + } + + public function getUserOU($username) + { + $this->connect(); + $this->bindServiceAccount(); + + $searchBase = "DC=epul3a,DC=local"; + $filter = "(sAMAccountName=$username)"; + $attributes = ["distinguishedName"]; + + $result = ldap_search($this->ad, $searchBase, $filter, $attributes); + $entries = ldap_get_entries($this->ad, $result); + + if ($entries['count'] > 0) { + $dn = $entries[0]['distinguishedname'][0]; + preg_match('/OU=([^,]+)/', $dn, $matches); + return isset($matches[1]) ? $matches[1] : null; + } + + return null; + } } diff --git a/views/menu.php b/views/menu.php index de7d080..c82a67c 100644 --- a/views/menu.php +++ b/views/menu.php @@ -15,17 +15,30 @@ echo "Bienvenue " . $_SESSION["sAMAccountName"] . "!"; echo "

Menu

"; echo ""; -echo $_SESSION["sAMAccountName"]; -echo $_SESSION["password"]; +if (!isset($_SESSION['sAMAccountName'])) { + die("Nom utilisateur manquant. Veuillez vous reconnecter."); +} +// // Exemple : Lister toutes les OUs +// $ous = listAllOU(); +// print_r($ous); -$ou = getUserOU($_SESSION['sAMAccountName']); -echo "L'OU de l'utilisateur est : " . ($ou ? $ou : "Non trouvé"); +// // Exemple : Lister tous les utilisateurs +// $users = listAllUsers(); +// print_r($users); + +// Exemple : Récupérer l'OU d'un utilisateur +// $username = $_SESSION['sAMAccountName']; +// $ou = getUserOU($username); +// echo "OU de l'utilisateur : $ou"; // Bouton de déconnexion echo "
";