Using PHP LDAP To Find Which Groups A User Belongs To
One of the tasks I have been looking into at work is the ability to use PHP to authenticate users against a Windows Active Directory (AD). After searching around on the internet I did manage to find a great little tutorial that helped explain the steps in searching the AD for a particular user and then if they existed to authenticate them with the submitted credentials.
While writing this post I have noticed that the blog that tutorial was written on is currently undergoing some transformations and I won’t be able to link to it yet. It was a fairly good tutorial and it allowed me to easily access our company’s AD with using the proper authentication to look up user accounts and authenticate them properly.
The next task that was to create some sort of structured access system based on the groups the user belonged too. The code below assumes you have been able to previously authenticate a user on the AD using PHP and their account information is store in the array variable $user.
$groups = array();
// Loop through the groups that the user is a `memberof`
foreach($user[0][‘memberof’] as $group) {
// extract Group name from string
$temp = substr($group, 0, stripos($group, ","));
// Strip the CN= and change to lowercase for easy handling
$temp = strtolower(str_replace("CN=", "", $temp);
echo "{$temp}<br />"; // Print out Group’s name
$groups[] .= $temp;
}
?>
Pretty cool and pretty easy to do right? Now all you need to do is check to see whether or not the user belongs to the particular groups you need them to belong to. This can be in the form of an array or a loop to match an array against a particular group such as:
// Regular User
if(in_array(‘RegUser’, $groups)) $_SESSION[‘thisuser’][‘userlevel’] = 1;
// Moderator
if(in_array(‘Moderator’, $groups)) $_SESSION[‘thisuser’][‘userlevel’] = 3;
// Administrator
if(in_array(‘Admin’, $groups)) $_SESSION[‘thisuser’][‘userlevel’] = 5;
?>
So really it isn’t as difficult as I first thought it might have been but it’s pretty interesting how a company can easily use one central location for their user database and have multiple internal websites authenticate against it. I personally will be looking to change some of our internal websites to work with PHP’s LDAP library so that I do not need to use multiple user tables for authentication and permissions.
This would work mainly for workplace intranet websites as opposed to regular internet websites. Though if people could utilize a system such as Windows Live ID or OpenID then we’d ever only need 1 username/password to login into the billions of websites out there right? After all how many various username/password combinations do you currently use? I have at least 10 variations for various websites I have to keep track of in my head all with different passwords.
To highlight the above PHP code I used the Dean’s Code Highlighter WordPress Plugin. I have been searching for a decent, easy to use WordPress plugin that allowed me to highlight scripting snippets or scripts when I wrote about them. If you post HTML, CSS, PHP, or any other sort of language I recommend you checking out this plugin.