PHP-LDAP/models/LDAPAuth.php

<?php
class LDAPAuth
{
    private $ldap_server;
    private $service_dn;
    private $service_pwd;
    private $ad;

    public function __construct()
    {
        $this->ldap_server = 'ldap://intranet.epul3a.local';
        $this->service_dn = 'CN=Service LDAP Reader,CN=Users,DC=epul3a,DC=local';
        $this->service_pwd = 'Test@123';
    }

    public function connect()
    {
        $this->ad = ldap_connect($this->ldap_server)
            or die("❌ Impossible de se connecter au LDAP");

        ldap_set_option($this->ad, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($this->ad, LDAP_OPT_REFERRALS, 0);
    }

    public function getUserDN($sAMAccountName)
    {
        $this->connect();

        // Connexion avec le compte service
        if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
            die("❌ Erreur de connexion avec svc_ldap_read : " . ldap_error($this->ad));
        }

        // 🔥 Utilisation correcte du sAMAccountName (alias de connexion)
        $search_base = "DC=epul3a,DC=local";
        $search_filter = "(sAMAccountName=$sAMAccountName)";  // 🔥 Remplace ici
        $search_result = ldap_search($this->ad, $search_base, $search_filter);
        $entries = ldap_get_entries($this->ad, $search_result);

        if ($entries["count"] > 0) {
            return $entries[0]["dn"];  // ✅ Retourne le DN correct
        }

        return false;  // ❌ Utilisateur non trouvé
    }

    public function authenticate($sAMAccountName, $user_password)
    {
        $user_dn = $this->getUserDN($sAMAccountName);
        if (!$user_dn) {
            return ['success' => false, 'message' => 'Utilisateur introuvable'];
        }

        if (@ldap_bind($this->ad, $user_dn, $user_password)) {
            // Vérifier si l'utilisateur est un administrateur
            $is_admin = $this->isUserAdmin($user_dn);
            // Récupérer les OUs sur lesquelles l'utilisateur a des droits d'administration
            $admin_ous = $this->getAdminOUs($user_dn);

            return [
                'success' => true,
                'dn' => $user_dn,
                'is_admin' => $is_admin,
                'admin_ous' => $admin_ous,
            ];
        }

        return ['success' => false, 'message' => 'Échec d\'authentification'];
    }

    private function isUserAdmin($user_dn)
    {
        $this->connect();
        $this->bindServiceAccount();

        // Vérifier l'attribut adminCount
        $filter = "(objectClass=user)";
        $attributes = ["adminCount"];

        $result = ldap_read($this->ad, $user_dn, $filter, $attributes);
        $entries = ldap_get_entries($this->ad, $result);

        if ($entries['count'] > 0 && isset($entries[0]['admincount'][0]) && $entries[0]['admincount'][0] == 1) {
            return true; // L'utilisateur est un administrateur
        }

        // Vérifier les groupes d'administration
        $admin_groups = [
            "CN=Domain Admins,CN=Users,DC=epul3a,DC=local",
            "CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local",
            "CN=Schema Admins,CN=Users,DC=epul3a,DC=local",
            "CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local",
        ];

        foreach ($admin_groups as $admin_group_dn) {
            $filter = "(memberOf:1.2.840.113556.1.4.1941:=$admin_group_dn)"; // Vérification récursive
            $attributes = ["memberOf"];

            $result = ldap_read($this->ad, $user_dn, $filter, $attributes);
            if ($result && ldap_count_entries($this->ad, $result) > 0) {
                return true; // L'utilisateur appartient à un groupe d'administration
            }
        }

        return false; // L'utilisateur n'est pas un administrateur
    }

    private function getAdminOUs($user_dn)
    {
        $this->connect();
        $this->bindServiceAccount();

        // Liste des groupes administratifs et leurs OUs associées
        $admin_groups_with_ous = [
            "CN=Domain Admins,CN=Users,DC=epul3a,DC=local" => "OU=Domain Admins,DC=epul3a,DC=local",
            "CN=Enterprise Admins,CN=Users,DC=epul3a,DC=local" => "OU=Enterprise Admins,DC=epul3a,DC=local",
            "CN=Schema Admins,CN=Users,DC=epul3a,DC=local" => "OU=Schema Admins,DC=epul3a,DC=local",
            "CN=Group Policy Creator Owners,CN=Users,DC=epul3a,DC=local" => "OU=Group Policy Creator Owners,DC=epul3a,DC=local",
        ];

        $admin_ous = [];
        foreach ($admin_groups_with_ous as $group_dn => $ou) {
            $filter = "(memberOf:1.2.840.113556.1.4.1941:=$group_dn)";
            $attributes = ["memberOf"];

            $result = ldap_read($this->ad, $user_dn, $filter, $attributes);
            if ($result && ldap_count_entries($this->ad, $result) > 0) {
                $admin_ous[] = $ou;
            }
        }

        return array_unique($admin_ous);
    }

    public function getAllOUs()
    {
        $this->connect();
        $this->bindServiceAccount();

        $searchBase = "DC=epul3a,DC=local";
        $filter = "(objectClass=organizationalUnit)";
        $attributes = ["ou", "distinguishedName"];

        $result = ldap_search($this->ad, $searchBase, $filter, $attributes);
        $entries = ldap_get_entries($this->ad, $result);

        $ous = [];
        if ($entries['count'] > 0) {
            foreach ($entries as $entry) {
                if (isset($entry['distinguishedname'][0])) {
                    $ous[] = $entry['distinguishedname'][0];
                }
            }
        }

        return $ous;
    }

    public function close()
    {
        if ($this->ad) {
            ldap_close($this->ad);
        }
    }

    public function bindServiceAccount()
    {
        if (!@ldap_bind($this->ad, $this->service_dn, $this->service_pwd)) {
            die("❌ Erreur de connexion avec le compte service : " . ldap_error($this->ad));
        }
    }

    public function listAllOU()
    {
        $this->connect();
        $this->bindServiceAccount();

        $searchBase = "DC=epul3a,DC=local";
        $filter = "(objectClass=organizationalUnit)";
        $attributes = ["ou", "distinguishedName"];

        $result = ldap_search($this->ad, $searchBase, $filter, $attributes);
        $entries = ldap_get_entries($this->ad, $result);

        $ous = [];
        if ($entries['count'] > 0) {
            foreach ($entries as $key => $entry) {
                if (is_numeric($key)) {
                    $ous[] = $entry;
                }
            }
        }

        return $ous;
    }

    public function listAllUsers()
    {
        $this->connect();
        $this->bindServiceAccount();

        $searchBase = "DC=epul3a,DC=local";
        $filter = "(objectClass=user)";
        $attributes = ["cn", "sn", "givenName", "mail", "distinguishedName"];

        $result = ldap_search($this->ad, $searchBase, $filter, $attributes);
        $entries = ldap_get_entries($this->ad, $result);

        $users = [];
        if ($entries['count'] > 0) {
            foreach ($entries as $key => $entry) {
                if (is_numeric($key)) {
                    preg_match('/OU=([^,]+)/', $entry['distinguishedname'][0], $matches);
                    $ou = isset($matches[1]) ? $matches[1] : 'Users';
                    $entry['ou'] = $ou;
                    $users[] = $entry;
                }
            }
        }

        return $users;
    }

    public function getUserOU($username)
    {
        $this->connect();
        $this->bindServiceAccount();

        $searchBase = "DC=epul3a,DC=local";
        $filter = "(sAMAccountName=$username)";
        $attributes = ["distinguishedName"];

        $result = ldap_search($this->ad, $searchBase, $filter, $attributes);
        $entries = ldap_get_entries($this->ad, $result);

        if ($entries['count'] > 0) {
            $dn = $entries[0]['distinguishedname'][0];
            preg_match('/OU=([^,]+)/', $dn, $matches);
            return isset($matches[1]) ? $matches[1] : null;
        }

        return null;
    }
}