仅使用sudo用户和密码从PHP使用LDAP验证用户?
如何使用LDAP和sudo用户及密码从PHP进行身份验证 我发现了如下验证用户身份的简单php脚本,但我的ldap数据库中有nosudo用户和sudo用户 这个脚本验证所有用户sudo以及nosudo用户,我只希望sudo用户能够登录。那么你能建议修改吗 Php脚本仅使用sudo用户和密码从PHP使用LDAP验证用户?,php,ldap,Php,Ldap,如何使用LDAP和sudo用户及密码从PHP进行身份验证 我发现了如下验证用户身份的简单php脚本,但我的ldap数据库中有nosudo用户和sudo用户 这个脚本验证所有用户sudo以及nosudo用户,我只希望sudo用户能够登录。那么你能建议修改吗 Php脚本 // get username and password from form $username = $_POST['username']; $password = $_POST['password']; /* * c
// get username and password from form
$username = $_POST['username'];
$password = $_POST['password'];
/*
* checks the credentials against the LDAP server
* $user - myBYU
* $pass - password
*/
function authenticate($user,$pass){
// prevents guest account access
if($pass == ""){
return false;
}
try{
$Yldap_location = "ldap://ldap.byu.edu";
$ldap_port = 389;
// call the ldap connect function
$Ydatabase = ldap_connect($Yldap_location, $ldap_port);
// bind the connection
$good = @ldap_bind($Ydatabase, "uid=".$user.",ou=People,o=BYU.edu", $pass);
if($good){
// valid credentials
return true;
}
else{
// invalid credentials
return false;
}
}
catch(Exception $e){
return false;
}
}
// call authenticate function
if(authenticate($username,$password)){
// authenticate successful
// set session
$_SESSION['loggedin'] = "true";
// redirect
echo $_SESSION['loggedin'];
$url = "http://orca.byu.edu/iacuc/".$_SESSION['url'];
header("Location: ".$url);
}
else{
// authenticate fails
// redirect to login
header("Location: http://orca.byu.edu/iacuc/Login.php");
}
**Sudo User Ldif is**
dn: uid=rupesh,ou=example,dc=example,dc=com
cn: Rupesh Jeevanrao Shewalkar
gidnumber: 502
homedirectory: /home/rupesh
loginshell: /bin/bash
mail: rupesh.shewalkar@example.com
mobile: 99999999
objectclass: extensibleObject
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
objectclass: sudoRole
shadowlastchange: 16148
shadowmax: 99999
shadowmin: 0
shadowwarning: 7
sudocommand: ALL
sudohost: ALL
sudooption: logfile=/var/log/sudo.log
sudooption: timestamp_timeout=5
sudooption: ignore_local_sudoers
sudooption: !env_reset
sudooption: log_year
sudooption: log_host
sudooption: insults
sudouser: rupesh
uid: rupesh
uidnumber: 2164
userpassword: welcome123
------------------------------
**Non sudo user LDIF:**
dn: uid=contactus,ou=example,dc=example,dc=com
cn: contactus
gidnumber: 502
homedirectory: /home/contactus
loginshell: /bin/bash
mail: Contact.Us@example.com
objectclass: extensibleObject
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
objectclass: sudoRole
shadowlastchange: 15621
shadowmax: 99999
shadowmin: 0
shadowwarning: 7
uid: contactus
uidnumber: 2108
userpassword:welcome@123
我首先使用给定uid对用户进行LDAP搜索,该uid的属性
objectclass
设置为sudorole。如果没有返回结果,则表明用户名错误或用户不是sudoer
当您有结果时,可以使用该结果dn
检查提供的密码。我准备了一个完整的代码示例
您必须将第38行中的过滤器从objectclass=posixAccount
调整为objectclass=sudorole
希望这有助于如何区分LDAP中的sudo用户和非sudo用户?有一个objectclass“sudoRole”可以使用,但是它被分配给了两个用户,所以它似乎是无用的。我将从非sudo用户中删除sudoRole,但是你能帮助我如何用php编写代码吗