Morph01/PHP-LDAP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance admin session management and display accessible OUs in menu

Browse Source
This commit is contained in:
Morph01
2025-02-04 13:14:38 -08:00
parent 0b83f35f1b
commit 3b1e132010
4 changed files with 184 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
controllers/auth.php
View File

@@ -1,5 +1,4 @@
<?php <?php
require_once __DIR__ . '/../models/LDAPAuth.php'; require_once __DIR__ . '/../models/LDAPAuth.php';
class AuthController class AuthController
@@ -23,6 +22,7 @@ class AuthController
$_SESSION['login'] = true; $_SESSION['login'] = true;
$_SESSION['sAMAccountName'] = $_POST['sAMAccountName']; $_SESSION['sAMAccountName'] = $_POST['sAMAccountName'];
$_SESSION['is_admin'] = $result['is_admin']; $_SESSION['is_admin'] = $result['is_admin'];
$_SESSION['admin_ous'] = $result['admin_ous']; // Stocker les OUs administrables
$_SESSION['password'] = $_POST['user_password']; $_SESSION['password'] = $_POST['user_password'];
header('Location: /index.php'); header('Location: /index.php');
exit; exit;

132
controllers/controllerAdmin.php
View File

@@ -1,136 +1,20 @@
<?php <?php
require_once __DIR__ . '/../models/LDAPAuth.php';
function listAllOU() function listAllOU()
{ {
if (session_status() == PHP_SESSION_NONE) { $ldapAuth = new LDAPAuth();
session_start(); return $ldapAuth->listAllOU();
}
if (!isset($_SESSION['sAMAccountName'])) {
die("Nom utilisateur manquant. Veuillez vous reconnecter.");
}
$ldapconn = ldap_connect("ldap://intranet.epul3a.local")
or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn));
}
$searchBase = "DC=epul3a,DC=local";
$filter = "(objectClass=organizationalUnit)";
$attributes = array("ou", "distinguishedName");
$result = @ldap_search($ldapconn, $searchBase, $filter, $attributes);
$ous = [];
if ($result) {
$entries = ldap_get_entries($ldapconn, $result);
if ($entries['count'] > 0) {
foreach ($entries as $key => $entry) {
if (is_numeric($key)) {
$ous[] = $entry; // Ajouter chaque OU au tableau
}
}
}
} else {
echo "Error: " . ldap_error($ldapconn);
}
ldap_close($ldapconn);
return $ous; // Retourner le tableau des OUs
} }
function listAllUsers() function listAllUsers()
{ {
if (session_status() == PHP_SESSION_NONE) { $ldapAuth = new LDAPAuth();
session_start(); return $ldapAuth->listAllUsers();
}
$ldapconn = ldap_connect("ldap://intranet.epul3a.local")
or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$ldap_user = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
if (!@ldap_bind($ldapconn, $ldap_user, $_SESSION['password'])) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn));
}
$searchBase = "DC=epul3a,DC=local";
$filter = "(objectClass=user)";
$attributes = array("cn", "sn", "givenName", "mail", "distinguishedName");
$result = @ldap_search($ldapconn, $searchBase, $filter, $attributes);
$users = [];
if ($result) {
$entries = ldap_get_entries($ldapconn, $result);
if ($entries['count'] > 0) {
foreach ($entries as $key => $entry) {
if (is_numeric($key)) {
// Extraire l'OU du DN
preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches);
$ou = isset($matches[1]) ? $matches[1] : 'Users';
$entry['ou'] = $ou; // Ajouter l'OU à l'entrée de l'utilisateur
$users[] = $entry; // Ajouter chaque utilisateur au tableau
}
}
}
} else {
echo "Error: " . ldap_error($ldapconn);
}
ldap_close($ldapconn);
return $users; // Retourner le tableau des utilisateurs
} }
function getUserOU($username) function getUserOU($username)
{ {
if (session_status() == PHP_SESSION_NONE) { $ldapAuth = new LDAPAuth();
session_start(); return $ldapAuth->getUserOU($username);
}
$ldapServer = "ldap://intranet.epul3a.local";
$ldapUser = "CN=" . $_SESSION['sAMAccountName'] . ",CN=Users,DC=epul3a,DC=local";
$ldapPassword = $_SESSION['password'];
$ldapconn = ldap_connect($ldapServer) or die("Could not connect to LDAP server.");
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if (!@ldap_bind($ldapconn, $ldapUser, $ldapPassword)) {
die("Could not bind to LDAP server: " . ldap_error($ldapconn));
}
$searchBase = "DC=epul3a,DC=local";
$filter = "(sAMAccountName=$username)";
$attributes = ["distinguishedName"];
$result = @ldap_search($ldapconn, $searchBase, $filter, $attributes);
if ($result) {
$entries = ldap_get_entries($ldapconn, $result);
if ($entries['count'] > 0) {
$dn = $entries[0]['distinguishedname'][0];
// Extraire l'OU du DN
preg_match('/OU=([^,]+)/', $dn, $matches);
$ou = isset($matches[1]) ? $matches[1] : null;
ldap_close($ldapconn);
return $ou;
}
} else {
echo "Error: " . ldap_error($ldapconn);
}
ldap_close($ldapconn);
return null;
} }

159
models/LDAPAuth.php
View File

@@ -51,18 +51,173 @@ class LDAPAuth
return ['success' => false, 'message' => 'Utilisateur introuvable']; return ['success' => false, 'message' => 'Utilisateur introuvable'];
} }
// Tentative de connexion avec le DN récupéré
if (@ldap_bind($this->ad, $user_dn, $user_password)) { if (@ldap_bind($this->ad, $user_dn, $user_password)) {
return ['success' => true, 'dn' => $user_dn]; // Vérifier si l'utilisateur est un administrateur
$is_admin = $this->isUserAdmin($user_dn);
// Récupérer les OUs sur lesquelles l'utilisateur a des droits d'administration
$admin_ous = $this->getAdminOUs($user_dn);
return [
'success' => true,
'dn' => $user_dn,
'is_admin' => $is_admin,
'admin_ous' => $admin_ous,
];
} }
return ['success' => false, 'message' => 'Échec d\'authentification']; return ['success' => false, 'message' => 'Échec d\'authentification'];
} }
private function isUserAdmin($user_dn)
{
$this->connect();
$this->bindServiceAccount();
// Vérifier l'attribut adminCount
$filter = "(objectClass=user)";
$attributes = ["adminCount"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) {
return true; // L'utilisateur est un administrateur
}
// Vérifier les groupes d'administration
$admin_groups = [
"CN=Domain Admins,CN=Users,DC=epul3a,DC=local",
"CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local",
"CN=Schema Admins,CN=Users,DC=epul3a,DC=local",
"CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local",
];
foreach ($admin_groups as $admin_group_dn) {
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive
$attributes = ["memberOf"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
if ($result && ldap_count_entries($this->ad, $result) > 0) {
return true; // L'utilisateur appartient à un groupe d'administration
}
}
return false; // L'utilisateur n'est pas un administrateur
}
private function getAdminOUs($user_dn)
{
$this->connect();
$this->bindServiceAccount();
// Liste des groupes administratifs et leurs OUs associées
$admin_groups_with_ous = [
"Domain Admins" => "OU=Domain Admins,DC=epul3a,DC=local",
"Enterprise Admins" => "OU=Enterprise Admins,DC=epul3a,DC=local",
"Schema Admins" => "OU=Schema Admins,DC=epul3a,DC=local",
"Group Policy Creator Owners" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local",
];
// Récupérer les groupes auxquels l'utilisateur appartient
$admin_ous = [];
foreach ($admin_groups_with_ous as $group_name => $ou) {
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_name)";
$attributes = ["memberOf"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
if ($result && ldap_count_entries($this->ad, $result) > 0) {
$admin_ous[] = $ou; // Retourne l'OU associée
}
}
return $admin_ous;
}
public function close() public function close()
{ {
if ($this->ad) { if ($this->ad) {
ldap_close($this->ad); ldap_close($this->ad);
} }
} }
public function bindServiceAccount()
{
if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
die("❌ Erreur de connexion avec le compte service : " . ldap_error($this->ad));
}
}
public function listAllOU()
{
$this->connect();
$this->bindServiceAccount();
$searchBase = "DC=epul3a,DC=local";
$filter = "(objectClass=organizationalUnit)";
$attributes = ["ou", "distinguishedName"];
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
$ous = [];
if ($entries['count'] > 0) {
foreach ($entries as $key => $entry) {
if (is_numeric($key)) {
$ous[] = $entry;
}
}
}
return $ous;
}
public function listAllUsers()
{
$this->connect();
$this->bindServiceAccount();
$searchBase = "DC=epul3a,DC=local";
$filter = "(objectClass=user)";
$attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"];
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
$users = [];
if ($entries['count'] > 0) {
foreach ($entries as $key => $entry) {
if (is_numeric($key)) {
preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches);
$ou = isset($matches[1]) ? $matches[1] : 'Users';
$entry['ou'] = $ou;
$users[] = $entry;
}
}
}
return $users;
}
public function getUserOU($username)
{
$this->connect();
$this->bindServiceAccount();
$searchBase = "DC=epul3a,DC=local";
$filter = "(sAMAccountName=$username)";
$attributes = ["distinguishedName"];
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
if ($entries['count'] > 0) {
$dn = $entries[0]['distinguishedname'][0];
preg_match('/OU=([^,]+)/', $dn, $matches);
return isset($matches[1]) ? $matches[1] : null;
}
return null;
}
} }

21
views/menu.php
View File

@@ -15,17 +15,30 @@ echo "Bienvenue " . $_SESSION["sAMAccountName"] . "!";
echo "<h2>Menu</h2>"; echo "<h2>Menu</h2>";
echo "<ul>"; echo "<ul>";
if ($_SESSION["is_admin"]) { if ($_SESSION["is_admin"]) {
echo "Vous êtes un administrateur.";
echo "Vous avez des droits sur les OUs suivantes : " . implode(", ", $_SESSION['admin_ous']);
echo "<li><a href='views/list_users.php'>Liste des utilisateurs</a></li>"; echo "<li><a href='views/list_users.php'>Liste des utilisateurs</a></li>";
echo "<li><a href='views/add_user.php'>Ajouter un utilisateur</a></li>"; echo "<li><a href='views/add_user.php'>Ajouter un utilisateur</a></li>";
} }
echo "</ul>"; echo "</ul>";
echo $_SESSION["sAMAccountName"]; if (!isset($_SESSION['sAMAccountName'])) {
echo $_SESSION["password"]; die("Nom utilisateur manquant. Veuillez vous reconnecter.");
}
// // Exemple : Lister toutes les OUs
// $ous = listAllOU();
// print_r($ous);
$ou = getUserOU($_SESSION['sAMAccountName']); // // Exemple : Lister tous les utilisateurs
echo "L'OU de l'utilisateur est : " . ($ou ? $ou : "Non trouvé"); // $users = listAllUsers();
// print_r($users);
// Exemple : Récupérer l'OU d'un utilisateur
// $username = $_SESSION['sAMAccountName'];
// $ou = getUserOU($username);
// echo "OU de l'utilisateur : $ou";
// Bouton de déconnexion // Bouton de déconnexion
echo "<form method='post' action='../controllers/logout.php'>"; echo "<form method='post' action='../controllers/logout.php'>";