Check if a user belongs to an LDAP+PHP group

Asked

Viewed 2,034 times

1

I wonder if it is possible to check directly in AD, if a user belongs to a certain group, to validate it as admin or not.

I’m doing it this way:

    /*
    * $this->status status da conexão
    * $this->ds identificador do link
    * $this->dn DN base
    * $this->usuario = usuário que busco no grupo
    */

    public function isAdmGroup() {

    if ($this->status) { 
        $grupo = 'CN=GrupoX,OU=Grupos,OU=Grupos de Acesso,DC=exemplo,DC=com,DC=br';
        $filter = "(&(objectClass=user)(sAMAccountname=".$this->usuario.")(memberOf=".$grupo."))";
        $attributes = array('memberof');
        $search = ldap_search($this->ds, $this->dn, $filter, $attributes);
        return ldap_get_entries($this->ds, $search);
    }
}

However, it returns me all user groups, and sometimes it is a large array.

I would like to do a more objective search, just checking whether it is part of the group or not, rather than returning all the groups that the user belongs to.

1 answer

1

You can change the variable $grupo for the DN of the administrator group you want and check if the ldap_Search function returns any object, if the return is empty, indicates that the user is not a member of this group.

There is no need to recheck the contents of the memberOf attribute unless you want to process the other groups that this administrator may be associated with.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.