John Davidson

nginx - PHP ldap filters are not applied

0 comments
Message:


I am currently trying to restrict my LDAP Login, using LDAP filters, but for some reason, the filters have no effect. My goal is, that only Users, that are in the Group "example" can login. So the LDAP filter would be


(&(objectclass=user)(department=example))

Here is my PHP Code:


<?php

if(isset($_POST['username']) && isset($_POST['password'])){



    $adServer = "ldap://ldap.domain.com";



    $ldap = ldap_connect($adServer);

    $username = $_POST['username'];

    $password = $_POST['password'];



    $ldaprdn = 'ad' . "\\" . $username;



    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);

    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);



    $bind = @ldap_bind($ldap, $ldaprdn, $password);



    if ($bind) {

        $filter="(department=example)"; //also tried "(|(sAMAccountName=user1)(sAMAccountName=user2))";

        $result = ldap_search($ldap,"OU=example,DC=ad,DC=domain,DC=com",$filter);

        ldap_sort($ldap,$result);

        $info = ldap_get_entries($ldap,$result);

        for ($i=0; $i<$info["count"]; $i++)

        {

            if($info['count'] > 1)

break;

}

@ldap_close($ldap);

session_start();

$_SESSION['sid']=session_id();

header('Location:  https://domain.example.com/success.php');

} else {

$msg = "Invalid username / password";

echo $msg;

}





}else{

?>

<html>

Form...

</html>

<?php } ?>

Are my LDAP filters wrong, or why aren't they applied? I also tried to allow only some users to access, but that didn't work either. Whatever filter I set, every user can login (with correct credentials ofc.).


Thanks for all answers in advance, if you need any further info/logs, please tell me


###Setup:


NAME="Debian GNU/Linux"


VERSION_ID="10"


VERSION="10 (buster)"


VERSION_CODENAME=buster


ID=debian


nginx version: nginx/1.14.2


PHP 7.3.19-1~deb10u1 (cli) (built: Jul 5 2020 06:46:45) ( NTS )


PHP 7.3.19-1~deb10u1 (fpm-fcgi) (built: Jul 5 2020 06:46:45)


My Answer:
"developers" should be able to log in. Here is my nginx configuration:


location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param LDAP_FILTER "(&(objectClass=user)(memberOf=CN=developers,OU=Groups,DC=example,DC=com))";
}


However, when I try to log in with a user that is not in the "developers" group, I am still able to log in successfully. I have checked the LDAP server and the user is definitely not in the "developers" group.

I have also tried using the LDAP filter directly in my PHP code, and it works as expected. So it seems like the issue is with how nginx is handling the LDAP filter.

Any help or suggestions on how to troubleshoot this issue would be greatly appreciated. Thank you.

Rate this post

3 of 5 based on 3889 votes

Comments



© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us