views:

462

answers:

1

I want only a (faculty) group of users to be able to access a certain web page on my website.

This page is only meant to be seen by faculty.

Within active directory, we have a group called "faculty"

Here is a snippet of code I have to authenticate users via ldap/active directory, but I want to only authenicate users that are within the faculty group.

$ldap = ldap_connect("ldap.domain.com")
if($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}
+1  A: 

AD stores the Member list on Groups, not the Group Membership on users, so you would have to retrieve the cn=faculty,ou=whatever,dc=acme,dc=com objects Member list, and see if this user is listed. If they are, then let them try and bind, which if it succeeds continue.

I would test for the group membership before testing the bind, since a bind is usually more expensive than a query.

geoffc
would that use the ldap_search function, to search for the user in the specified group and return true?
Brad
@geoffc - are you sure? I'm looking at my AD schema and I see that my user has some memberOf attributes the are the groups I'm a member of. I'm not sure if that's a Microsoft-ism, or if that's standard LDAP practice (trying to figure that out at the moment).
DougN
Officially schema does not support it, as of last I looked. It may LOOK like its there, sometimes, if the tool fakes it the background by checking the global catalog or querying for all groups, this user is a member of. Maybe they changed it?
geoffc