Morph01/PHP-LDAP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: delegation administration IS WORKING

Browse Source
This commit is contained in:
Morph01
2025-02-04 14:33:14 -08:00
parent cccdbe797c
commit 9ed9dad583
6 changed files with 303 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
models/LDAPAuth.php
View File

@@ -70,39 +70,36 @@ class LDAPAuth
private function isUserAdmin($user_dn)
{
$this->connect();
$this->bindServiceAccount();
// Vérifier l'attribut adminCount
$filter = "(objectClass=user)";
$attributes = ["adminCount"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) {
return true; // L'utilisateur est un administrateur
}
// Vérifier les groupes d'administration
$admin_groups = [
"CN=Domain Admins,CN=Users,DC=epul3a,DC=local",
"CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local",
"CN=Schema Admins,CN=Users,DC=epul3a,DC=local",
"CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local",
"CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local"
];
foreach ($admin_groups as $admin_group_dn) {
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive
$attributes = ["memberOf"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
foreach ($admin_groups as $group_dn) {
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_dn)";
$result = ldap_read($this->ad, $user_dn, $filter, ["memberOf"]);
if ($result && ldap_count_entries($this->ad, $result) > 0) {
return true; // L'utilisateur appartient à un groupe d'administration
return true;
}
}
return false; // L'utilisateur n'est pas un administrateur
return false;
}
public function getUserGroups($user_dn)
{
$this->connect();
$this->bindServiceAccount();
$filter = "(objectClass=*)";
$attributes = ["memberOf"];
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
return $entries[0]['memberof'] ?? [];
}
private function getAdminOUs($user_dn)
@@ -110,20 +107,18 @@ class LDAPAuth
$this->connect();
$this->bindServiceAccount();
// Liste des groupes administratifs et leurs OUs associées
// Mappage explicite des groupes d'administration vers les OUs
$admin_groups_with_ous = [
"CN=Domain Admins,CN=Users,DC=epul3a,DC=local" => "OU=Domain Admins,DC=epul3a,DC=local",
"CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local" => "OU=Enterprise Admins,DC=epul3a,DC=local",
"CN=Schema Admins,CN=Users,DC=epul3a,DC=local" => "OU=Schema Admins,DC=epul3a,DC=local",
"CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local",
"CN=Domain Admins,CN=Users,DC=epul3a,DC=local" => "OU=3AFISA,DC=epul3a,DC=local", // Domain Admins → OU=3AFISA
"CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local" => "CN=Users,DC=epul3a,DC=local",
// Ajoutez d'autres groupes si nécessaire
];
$admin_ous = [];
foreach ($admin_groups_with_ous as $group_dn => $ou) {
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_dn)";
$attributes = ["memberOf"];
$filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_dn)"; // Vérification récursive
$result = ldap_read($this->ad, $user_dn, $filter, ["memberOf"]);
$result = ldap_read($this->ad, $user_dn, $filter, $attributes);
if ($result && ldap_count_entries($this->ad, $result) > 0) {
$admin_ous[] = $ou;
}
@@ -132,6 +127,45 @@ class LDAPAuth
return array_unique($admin_ous);
}
private function getOUACL($ou_dn)
{
$filter = "(objectClass=organizationalUnit)";
$attributes = ["nTSecurityDescriptor"];
$result = @ldap_read($this->ad, $ou_dn, $filter, $attributes); // Ajoutez @ pour supprimer les warnings
if (!$result) {
return null; // Retourne null si la lecture échoue
}
$entries = ldap_get_entries($this->ad, $result);
if ($entries['count'] > 0 && isset($entries[0]['ntsecuritydescriptor'][0])) {
return $entries[0]['ntsecuritydescriptor'][0]; // Retourne les ACL
}
return null; // Retourne null si aucune ACL n'est trouvée
}
private function hasAdminRights($acl, $user_dn)
{
// Si les ACL sont null, retourne false
if ($acl === null) {
return false;
}
// Convertir l'ACL en un format exploitable
// Note : Cette partie dépend de la manière dont les ACL sont stockées dans votre AD
// Vous devrez peut-être utiliser une bibliothèque pour parser l'ACL
// Exemple simplifié : Vérifier si l'utilisateur a le droit "WriteProperty" ou "GenericAll"
if (strpos($acl, $user_dn) !== false && (strpos($acl, "WriteProperty") !== false || strpos($acl, "GenericAll") !== false)) {
return true;
}
return false;
}
public function getAllOUs()
{
$this->connect();
@@ -241,4 +275,59 @@ class LDAPAuth
return null;
}
public function listUsersByOUs(array $admin_ous)
{
$this->connect();
$this->bindServiceAccount();
$users = [];
foreach ($admin_ous as $ou) {
$searchBase = $ou;
$filter = "(objectClass=user)";
$attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"];
$result = ldap_search($this->ad, $searchBase, $filter, $attributes);
$entries = ldap_get_entries($this->ad, $result);
if ($entries['count'] > 0) {
foreach ($entries as $key => $entry) {
if (is_numeric($key)) {
$users[] = $entry;
}
}
}
}
return $users;
}
public function listUsersByOU($ou_dn)
{
$this->connect();
$this->bindServiceAccount();
$searchBase = $ou_dn;
$filter = "(objectClass=user)";
$attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"];
$result = @ldap_search($this->ad, $searchBase, $filter, $attributes);
if (!$result) {
return [];
}
$entries = ldap_get_entries($this->ad, $result);
$users = [];
if ($entries['count'] > 0) {
for ($i = 0; $i < $entries['count']; $i++) {
if (!empty($entries[$i]['distinguishedname'][0])) {
$users[] = $entries[$i];
}
}
}
return $users;
}
}