ldap_server = 'ldap://intranet.epul3a.local'; $this->service_dn = 'CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local'; $this->service_pwd = 'Test@123'; } public function connect() { $this->ad = ldap_connect($this->ldap_server) or die("❌ Impossible de se connecter au LDAP"); ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0); } public function getUserDN($sAMAccountName) { $this->connect(); // Connexion avec le compte service if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) { die("❌ Erreur de connexion avec svc_ldap_read : " . ldap_error($this->ad)); } // 🔥 Utilisation correcte du sAMAccountName (alias de connexion) $search_base = "DC=epul3a,DC=local"; $search_filter = "(sAMAccountName=$sAMAccountName)"; // 🔥 Remplace ici $search_result = ldap_search($this->ad, $search_base, $search_filter); $entries = ldap_get_entries($this->ad, $search_result); if ($entries["count"] > 0) { return $entries[0]["dn"]; // ✅ Retourne le DN correct } return false; // ❌ Utilisateur non trouvé } public function authenticate($sAMAccountName, $user_password) { $user_dn = $this->getUserDN($sAMAccountName); if (!$user_dn) { return ['success' => false, 'message' => 'Utilisateur introuvable']; } if (@ldap_bind($this->ad, $user_dn, $user_password)) { // Vérifier si l'utilisateur est un administrateur $is_admin = $this->isUserAdmin($user_dn); // Récupérer les OUs sur lesquelles l'utilisateur a des droits d'administration $admin_ous = $this->getAdminOUs($user_dn); return [ 'success' => true, 'dn' => $user_dn, 'is_admin' => $is_admin, 'admin_ous' => $admin_ous, ]; } return ['success' => false, 'message' => 'Échec d\'authentification']; } private function isUserAdmin($user_dn) { $this->connect(); $this->bindServiceAccount(); // Vérifier l'attribut adminCount $filter = "(objectClass=user)"; $attributes = ["adminCount"]; $result = ldap_read($this->ad, $user_dn, $filter, $attributes); $entries = ldap_get_entries($this->ad, $result); if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) { return true; // L'utilisateur est un administrateur } // Vérifier les groupes d'administration $admin_groups = [ "CN=Domain Admins,CN=Users,DC=epul3a,DC=local", "CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local", "CN=Schema Admins,CN=Users,DC=epul3a,DC=local", "CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local", ]; foreach ($admin_groups as $admin_group_dn) { $filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive $attributes = ["memberOf"]; $result = ldap_read($this->ad, $user_dn, $filter, $attributes); if ($result && ldap_count_entries($this->ad, $result) > 0) { return true; // L'utilisateur appartient à un groupe d'administration } } return false; // L'utilisateur n'est pas un administrateur } private function getAdminOUs($user_dn) { $this->connect(); $this->bindServiceAccount(); // Liste des groupes administratifs et leurs OUs associées $admin_groups_with_ous = [ "Domain Admins" => "OU=Domain Admins,DC=epul3a,DC=local", "Enterprise Admins" => "OU=Enterprise Admins,DC=epul3a,DC=local", "Schema Admins" => "OU=Schema Admins,DC=epul3a,DC=local", "Group Policy Creator Owners" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local", ]; // Récupérer les groupes auxquels l'utilisateur appartient $admin_ous = []; foreach ($admin_groups_with_ous as $group_name => $ou) { $filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_name)"; $attributes = ["memberOf"]; $result = ldap_read($this->ad, $user_dn, $filter, $attributes); if ($result && ldap_count_entries($this->ad, $result) > 0) { $admin_ous[] = $ou; // Retourne l'OU associée } } return $admin_ous; } public function close() { if ($this->ad) { ldap_close($this->ad); } } public function bindServiceAccount() { if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) { die("❌ Erreur de connexion avec le compte service : " . ldap_error($this->ad)); } } public function listAllOU() { $this->connect(); $this->bindServiceAccount(); $searchBase = "DC=epul3a,DC=local"; $filter = "(objectClass=organizationalUnit)"; $attributes = ["ou", "distinguishedName"]; $result = ldap_search($this->ad, $searchBase, $filter, $attributes); $entries = ldap_get_entries($this->ad, $result); $ous = []; if ($entries['count'] > 0) { foreach ($entries as $key => $entry) { if (is_numeric($key)) { $ous[] = $entry; } } } return $ous; } public function listAllUsers() { $this->connect(); $this->bindServiceAccount(); $searchBase = "DC=epul3a,DC=local"; $filter = "(objectClass=user)"; $attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"]; $result = ldap_search($this->ad, $searchBase, $filter, $attributes); $entries = ldap_get_entries($this->ad, $result); $users = []; if ($entries['count'] > 0) { foreach ($entries as $key => $entry) { if (is_numeric($key)) { preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches); $ou = isset($matches[1]) ? $matches[1] : 'Users'; $entry['ou'] = $ou; $users[] = $entry; } } } return $users; } public function getUserOU($username) { $this->connect(); $this->bindServiceAccount(); $searchBase = "DC=epul3a,DC=local"; $filter = "(sAMAccountName=$username)"; $attributes = ["distinguishedName"]; $result = ldap_search($this->ad, $searchBase, $filter, $attributes); $entries = ldap_get_entries($this->ad, $result); if ($entries['count'] > 0) { $dn = $entries[0]['distinguishedname'][0]; preg_match('/OU=([^,]+)/', $dn, $matches); return isset($matches[1]) ? $matches[1] : null; } return null; } }