rhukster/test-ldap-2.php

## test-ldap-2.php
#!/usr/bin/php
<?php

# Parse options
$opts = getopt('h:n:u:p:b:s:', array( 'help' ));

if (isset($opts['help']) && $opts['help']) {
	echo <<<ENDHELP
Usage:
    $argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH]
Where:
    HOSTNAME is the LDAP hostname to connect to; omit to use default (pool.ldap.csiro.au)
    PORTNUM is the port number to connect to; omit to use default (389)
    USERNAME is the username passed to ldap_bind(); omit to bind anonymously
    PASSWORD is the password passed to ldap_bind(); omit to bind without a password
    BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au)
    SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392)
ENDHELP
;
	exit(0);
}

# Extract options into variables
$hostname = isset($opts['h']) ? $opts['h'] : 'pool.ldap.csiro.au';
$port_num = isset($opts['n']) ? intval($opts['n']) : 389;
$username = isset($opts['u']) ? $opts['u'] : null;
$password = isset($opts['p']) ? $opts['p'] : null;
$base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au';
$search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392';

# Connect to LDAP
echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL;
$ldap = ldap_connect($hostname, $port_num);

# Protocol version 3 and no referrals are required for AD
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

# Bind to LDAP
echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL;
$bind_result = ldap_bind($ldap, $username, $password);
if (!$bind_result) {
	echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(100);
}

# Perform search
echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL;
$results = ldap_search($ldap, $base_dn, $search);
if (!$results) {
	echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(200);
}

# Output results
echo "Got results fro LDAP search..." . PHP_EOL;
print_r(ldap_get_entries($ldap, $results));

## test-ldap.php
#!/usr/bin/php
<?php
// USAGE: test-ldap.php <username>
// This will check the given <username> for access and group membership.  The <username> is required.
// Note that the username and password used for the bind() operation is defined as a constant and is not
// necessarily the same as the username given as argument to the script.

// These constants need values which are environment-specific.
define('HOSTNAME', '');  // This was a normal FQHN, e.g. "server.domain.org.au"
define('USERNAME', '');  // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs"
define('PASSWORD', '');  // Plain text password, e.g. "password"
define('BASE_DN', '');   // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au"
define('USER_OU', '');   // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany"
define('GROUP_DN', '');  // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au"
define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName"

$ldap = ldap_connect(HOSTNAME);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

if (!ldap_bind($ldap, USERNAME, PASSWORD)) {
	ldap_unbind($ldap);
	die('Authentication error' . PHP_EOL);
}

$search = sprintf('%s,%s', USER_OU, BASE_DN);
$filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : ''));
$results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' ));
if (!$results) {
	ldap_unbind($ldap);
	die('Search error' . PHP_EOL);
}

$entry = ldap_first_entry($ldap, $results);
if (!$entry) {
	ldap_unbind($ldap);
	die('No results found' . PHP_EOL);
}

$attrs = ldap_get_attributes($ldap, $entry);

echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL;

$keys = array_filter(array_keys($attrs), function ($item) {
	return !is_numeric($item);
});
sort($keys);
print_r($keys);

print_r($attrs['memberOf']);
$groups = explode('|', GROUP_DN);
$match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0;
echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL;

ldap_unbind($ldap);
	#!/usr/bin/php
	<?php

	# Parse options
	$opts = getopt('h:n:u:p:b:s:', array( 'help' ));

	if (isset($opts['help']) && $opts['help']) {
	echo <<<ENDHELP
	Usage:
	$argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH]
	Where:
	HOSTNAME is the LDAP hostname to connect to; omit to use default (pool.ldap.csiro.au)
	PORTNUM is the port number to connect to; omit to use default (389)
	USERNAME is the username passed to ldap_bind(); omit to bind anonymously
	PASSWORD is the password passed to ldap_bind(); omit to bind without a password
	BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au)
	SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392)
	ENDHELP
	;
	exit(0);
	}

	# Extract options into variables
	$hostname = isset($opts['h']) ? $opts['h'] : 'pool.ldap.csiro.au';
	$port_num = isset($opts['n']) ? intval($opts['n']) : 389;
	$username = isset($opts['u']) ? $opts['u'] : null;
	$password = isset($opts['p']) ? $opts['p'] : null;
	$base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au';
	$search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392';

	# Connect to LDAP
	echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL;
	$ldap = ldap_connect($hostname, $port_num);

	# Protocol version 3 and no referrals are required for AD
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

	# Bind to LDAP
	echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL;
	$bind_result = ldap_bind($ldap, $username, $password);
	if (!$bind_result) {
	echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(100);
	}

	# Perform search
	echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL;
	$results = ldap_search($ldap, $base_dn, $search);
	if (!$results) {
	echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL;
	exit(200);
	}

	# Output results
	echo "Got results fro LDAP search..." . PHP_EOL;
	print_r(ldap_get_entries($ldap, $results));
	#!/usr/bin/php
	<?php
	// USAGE: test-ldap.php <username>
	// This will check the given <username> for access and group membership. The <username> is required.
	// Note that the username and password used for the bind() operation is defined as a constant and is not
	// necessarily the same as the username given as argument to the script.

	// These constants need values which are environment-specific.
	define('HOSTNAME', ''); // This was a normal FQHN, e.g. "server.domain.org.au"
	define('USERNAME', ''); // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs"
	define('PASSWORD', ''); // Plain text password, e.g. "password"
	define('BASE_DN', ''); // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au"
	define('USER_OU', ''); // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany"
	define('GROUP_DN', ''); // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au\|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au"
	define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName"

	$ldap = ldap_connect(HOSTNAME);
	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

	if (!ldap_bind($ldap, USERNAME, PASSWORD)) {
	ldap_unbind($ldap);
	die('Authentication error' . PHP_EOL);
	}

	$search = sprintf('%s,%s', USER_OU, BASE_DN);
	$filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : ''));
	$results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' ));
	if (!$results) {
	ldap_unbind($ldap);
	die('Search error' . PHP_EOL);
	}

	$entry = ldap_first_entry($ldap, $results);
	if (!$entry) {
	ldap_unbind($ldap);
	die('No results found' . PHP_EOL);
	}

	$attrs = ldap_get_attributes($ldap, $entry);

	echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL;

	$keys = array_filter(array_keys($attrs), function ($item) {
	return !is_numeric($item);
	});
	sort($keys);
	print_r($keys);

	print_r($attrs['memberOf']);
	$groups = explode('\|', GROUP_DN);
	$match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0;
	echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL;

	ldap_unbind($ldap);