Validate AD group membership with php and LDAP

StackOverflow https://stackoverflow.com/questions/23270575

  •  09-07-2023
  •  | 
  •  

Question

I am able to bind to AD server, but I am having trouble understanding how to validate membership in a specific group. What I want to do is check to see if the user is part of the group "DOMAIN\IT" and if so assign a session variable that I can later use. Here is what I have so far:

    if (isset($_POST["submit"])){

    $ldaprdn  = "DOMAIN\\" . $_POST["username"];     // ldap rdn or dn
    $ldappass = $_POST["password"];  // associated password
    } else {
    $ldaprdn  = "noUserName";     // ldap rdn or dn
    $ldappass = "noPassWord";  // associated password
    }

     //check login form post submission and blank values
    if (isset($_POST["submit"])){
        if  ($_SESSION["blanklogin"] !== "1"){
            // connect to ldap server
            $ldapconn = ldap_connect("DC01.ROOT.DOMAIN.ORG")
            or die("Could not connect to LDAP server.");
            if ($ldapconn) {

            // binding to ldap server
            $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

            // verify binding
            if ($ldapbind) {
                $_SESSION["login"] = "1";

   TODO: CHECK GROUP MEMBERSHIP - IF IN GROUP DOMAIN\IT then set session variable.
                session_regenerate_id( true );
                echo "LDAP Bind For "; echo $ldaprdn; echo " successful...";
                        echo "Login Successful";
                        header("Location: index.php");
                    } else {
                   echo "LDAP bind for "; echo $ldaprdn; echo " Failed...<br />";
                    $_SESSION["login"] = "0";
                    }
                $_SESSION["blanklogin"] = "0";
                ldap_unbind( $ldapconn );
                }
                } else {
                echo "Username & Password Required<br />";
            }
          }
Was it helpful?

Solution

The following code is taken from one of my projects and returns a list of group names the user is a member of, including recursion. You should be able to use that to check for what you want:

$ldapConnection = ldap_connect($ldapServerAddress, $ldapServerPort);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);

// Do something to handle connection failure here, this is just what I did.
if ($ldapConnection === false) throw new ActiveDirectoryConnectionException();

$ldapBind = ldap_bind($ldapConnection, $ldapUsername, $dapPassword);

// Do something to handle binding failure here, this is just what I did.
if ($ldapBind === false) throw new ActiveDirectoryAuthenticationException();

$result = ldap_search($ldapConnection, $ldapSearchRoot, "(member:1.2.840.113556.1.4.1941:=" . $userDN . ")", array("sAMAccountName", "dn"));

// Do something to handle query failure here, this is just what I did.
if ($result === false) throw new ActiveDirectorySearchException(ldap_error($ldapConnection), ldap_errno($ldapConnection));

$groups = ldap_get_entries($ldapConnection, $result);

$groupNames = array();

for ($i = 0; $i < $groups['count']; $i++)
{
    $groupNames[] = $groups[$i]['samaccountname'][0];
}

return $groupNames;
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top