feat: enhance admin session management and display accessible OUs in menu
This commit is contained in:
Morph01
@@ -51,18 +51,173 @@ class LDAPAuth
|
||||
return ['success' => false, 'message' => 'Utilisateur introuvable'];
|
||||
}
|
||||
|
||||
// Tentative de connexion avec le DN récupéré
|
||||
if (@ldap_bind($this->ad, $user_dn, $user_password)) {
|
||||
return ['success' => true, 'dn' => $user_dn];
|
||||
// Vérifier si l'utilisateur est un administrateur
|
||||
$is_admin = $this->isUserAdmin($user_dn);
|
||||
// Récupérer les OUs sur lesquelles l'utilisateur a des droits d'administration
|
||||
$admin_ous = $this->getAdminOUs($user_dn);
|
||||
|
||||
return [
|
||||
'success' => true,
|
||||
'dn' => $user_dn,
|
||||
'is_admin' => $is_admin,
|
||||
'admin_ous' => $admin_ous,
|
||||
];
|
||||
}
|
||||
|
||||
return ['success' => false, 'message' => 'Échec d\'authentification'];
|
||||
}
|
||||
|
||||
private function isUserAdmin($user_dn)
|
||||
{
|
||||
$this->connect();
|
||||
$this->bindServiceAccount();
|
||||
|
||||
// Vérifier l'attribut adminCount
|
||||
$filter = "(objectClass=user)";
|
||||
$attributes = ["adminCount"];
|
||||
|
||||
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
|
||||
$entries = ldap_get_entries($this->ad, $result);
|
||||
|
||||
if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) {
|
||||
return true; // L'utilisateur est un administrateur
|
||||
}
|
||||
|
||||
// Vérifier les groupes d'administration
|
||||
$admin_groups = [
|
||||
"CN=Domain Admins,CN=Users,DC=epul3a,DC=local",
|
||||
"CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local",
|
||||
"CN=Schema Admins,CN=Users,DC=epul3a,DC=local",
|
||||
"CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local",
|
||||
];
|
||||
|
||||
foreach ($admin_groups as $admin_group_dn) {
|
||||
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive
|
||||
$attributes = ["memberOf"];
|
||||
|
||||
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
|
||||
if ($result && ldap_count_entries($this->ad, $result) > 0) {
|
||||
return true; // L'utilisateur appartient à un groupe d'administration
|
||||
}
|
||||
}
|
||||
|
||||
return false; // L'utilisateur n'est pas un administrateur
|
||||
}
|
||||
|
||||
private function getAdminOUs($user_dn)
|
||||
{
|
||||
$this->connect();
|
||||
$this->bindServiceAccount();
|
||||
|
||||
// Liste des groupes administratifs et leurs OUs associées
|
||||
$admin_groups_with_ous = [
|
||||
"Domain Admins" => "OU=Domain Admins,DC=epul3a,DC=local",
|
||||
"Enterprise Admins" => "OU=Enterprise Admins,DC=epul3a,DC=local",
|
||||
"Schema Admins" => "OU=Schema Admins,DC=epul3a,DC=local",
|
||||
"Group Policy Creator Owners" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local",
|
||||
];
|
||||
|
||||
// Récupérer les groupes auxquels l'utilisateur appartient
|
||||
$admin_ous = [];
|
||||
foreach ($admin_groups_with_ous as $group_name => $ou) {
|
||||
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_name)";
|
||||
$attributes = ["memberOf"];
|
||||
|
||||
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
|
||||
if ($result && ldap_count_entries($this->ad, $result) > 0) {
|
||||
$admin_ous[] = $ou; // Retourne l'OU associée
|
||||
}
|
||||
}
|
||||
|
||||
return $admin_ous;
|
||||
}
|
||||
|
||||
|
||||
|
||||
public function close()
|
||||
{
|
||||
if ($this->ad) {
|
||||
ldap_close($this->ad);
|
||||
}
|
||||
}
|
||||
|
||||
public function bindServiceAccount()
|
||||
{
|
||||
if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
|
||||
die("❌ Erreur de connexion avec le compte service : " . ldap_error($this->ad));
|
||||
}
|
||||
}
|
||||
|
||||
public function listAllOU()
|
||||
{
|
||||
$this->connect();
|
||||
$this->bindServiceAccount();
|
||||
|
||||
$searchBase = "DC=epul3a,DC=local";
|
||||
$filter = "(objectClass=organizationalUnit)";
|
||||
$attributes = ["ou", "distinguishedName"];
|
||||
|
||||
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
|
||||
$entries = ldap_get_entries($this->ad, $result);
|
||||
|
||||
$ous = [];
|
||||
if ($entries['count'] > 0) {
|
||||
foreach ($entries as $key => $entry) {
|
||||
if (is_numeric($key)) {
|
||||
$ous[] = $entry;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $ous;
|
||||
}
|
||||
|
||||
public function listAllUsers()
|
||||
{
|
||||
$this->connect();
|
||||
$this->bindServiceAccount();
|
||||
|
||||
$searchBase = "DC=epul3a,DC=local";
|
||||
$filter = "(objectClass=user)";
|
||||
$attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"];
|
||||
|
||||
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
|
||||
$entries = ldap_get_entries($this->ad, $result);
|
||||
|
||||
$users = [];
|
||||
if ($entries['count'] > 0) {
|
||||
foreach ($entries as $key => $entry) {
|
||||
if (is_numeric($key)) {
|
||||
preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches);
|
||||
$ou = isset($matches[1]) ? $matches[1] : 'Users';
|
||||
$entry['ou'] = $ou;
|
||||
$users[] = $entry;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $users;
|
||||
}
|
||||
|
||||
public function getUserOU($username)
|
||||
{
|
||||
$this->connect();
|
||||
$this->bindServiceAccount();
|
||||
|
||||
$searchBase = "DC=epul3a,DC=local";
|
||||
$filter = "(sAMAccountName=$username)";
|
||||
$attributes = ["distinguishedName"];
|
||||
|
||||
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
|
||||
$entries = ldap_get_entries($this->ad, $result);
|
||||
|
||||
if ($entries['count'] > 0) {
|
||||
$dn = $entries[0]['distinguishedname'][0];
|
||||
preg_match('/OU=([^,]+)/', $dn, $matches);
|
||||
return isset($matches[1]) ? $matches[1] : null;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user