Verify that a user belongs to an LDAP + PHP group

0

I would like to know if it is possible to check directly in the AD, if a user belongs to a particular group, to validate it as admin or not.

I'm doing it this way:

    /*
    * $this->status status da conexão
    * $this->ds identificador do link
    * $this->dn DN base
    * $this->usuario = usuário que busco no grupo
    */

    public function isAdmGroup() {

    if ($this->status) { 
        $grupo = 'CN=GrupoX,OU=Grupos,OU=Grupos de Acesso,DC=exemplo,DC=com,DC=br';
        $filter = "(&(objectClass=user)(sAMAccountname=".$this->usuario.")(memberOf=".$grupo."))";
        $attributes = array('memberof');
        $search = ldap_search($this->ds, $this->dn, $filter, $attributes);
        return ldap_get_entries($this->ds, $search);
    }
}

However, it returns all user groups, and sometimes it's a large array.

I'd like to do a more objective search, just checking whether it's part of the group or not, instead of returning all the groups the user belongs to.

    
asked by anonymous 21.07.2014 / 18:53

1 answer

1

You can change the $grupo variable to the DN of the Administrators group you want and check if the ldap_Search function returns some object, if the return is empty, indicates that the user is not a member of this group.

There is no need to recheck the content of the memberOf attribute unless you want to process the other groups that this administrator can be associated with.

    
21.07.2014 / 22:28