-
Notifications
You must be signed in to change notification settings - Fork 0
/
authenticate.php
91 lines (72 loc) · 3.23 KB
/
authenticate.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php
// file: authenticate.php
// created by: Alex Gordon, Elliott Staude
// date: 02-19-2014
// purpose: this file's operation checks a user's credentials against the records contained within Active Directory
// part of the collection of files for the GQUIP project, designed for Gordon College, 2013-2014
//
//
// function: authenticate_with_ad
// @param $user: the username that the function must to verify
// @param $password: the password that the function must to verify
// purpose: this function obtains the necessary credentials from GQUIP's forms and then confirms
// - whether the user is legitimate based upon the groups the user is part of in the Active
// - Directory records
session_start();
// Constants
// Symbolic constants for different levels of access
const NO_ACCESS = 0;
const USER_ACCESS = 1;
const FACULTY_ACCESS = 2;
const STAFF_ACCESS = 2;
const MANAGER_ACCESS = 3;
// Domain, for purposes of constructing $user
const USER_DOMAIN = "@gordon.edu";
function authenticate_with_ad($user, $password) {
// Active Directory server: the location of the records that will be queried against
$ldap_host = "Elder2.gordon.edu";
$ldap_dn = "OU=Gordon College,DC=gordon,DC=edu";
// Active Directory user group: the name of the group one must be a part of to gain basic access to GQUIP
$ldap_user_group = "CTS-Helpdesk-Students";
// Active Directory faculty group: the name of the group one must be a part of to edit GQUIP data
$ldap_faculty_group = "Faculty-SG";
// Active Directory staff group: the name of the group one must be a part of to edit GQUIP data
$ldap_staff_group = "Staff-SG";
// Active Directory administrator: the name of the group one must be a part of for full access to GQUIP
$ldap_manager_group = "CET-Admin";
// Connect to active directory
$ldap = ldap_connect($ldap_host);
// Attempt to bind to Active Directory - check that the username and password are paired in the records
if($bind = @ldap_bind($ldap, $user . USER_DOMAIN, $password)) {
// If this section is executing, the binding has been successful
// Make sure that the user exists in the groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof");
// The actual check is performed here
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$info = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
$access = 0;
// check groups
foreach($info[0]['memberof'] as $grps) {
// regular User
if (strpos($grps, $ldap_user_group) !== false) { $access = max($access, USER_ACCESS); }
if (strpos($grps, $ldap_faculty_group) !== false) { $access = max($access, FACULTY_ACCESS); }
if (strpos($grps, $ldap_faculty_group) !== false) { $access = max($access, STAFF_ACCESS); }
if (strpos($grps, $ldap_manager_group) !== false) { $access = max($access, MANAGER_ACCESS); }
}
if ($access != NO_ACCESS) {
// establish session variables for access
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights to access gquip
return false;
}
} else {
// invalid name or password in active directory
return false;
}
}
?>