I am currently trying to restrict my LDAP Login, using LDAP filters, but for some reason, the filters have no effect. My goal is, that only Users, that are in the Group "example" can login. So the LDAP filter would be
(&(objectclass=user)(department=example))
Here is my PHP Code:
<?php
if(isset($_POST['username']) && isset($_POST['password'])){
$adServer = "ldap://ldap.domain.com";
$ldap = ldap_connect($adServer);
$username = $_POST['username'];
$password = $_POST['password'];
$ldaprdn = 'ad' . "\\" . $username;
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = @ldap_bind($ldap, $ldaprdn, $password);
if ($bind) {
$filter="(department=example)"; //also tried "(|(sAMAccountName=user1)(sAMAccountName=user2))";
$result = ldap_search($ldap,"OU=example,DC=ad,DC=domain,DC=com",$filter);
ldap_sort($ldap,$result);
$info = ldap_get_entries($ldap,$result);
for ($i=0; $i<$info["count"]; $i++)
{
if($info['count'] > 1)
break;
}
@ldap_close($ldap);
session_start();
$_SESSION['sid']=session_id();
header('Location: https://domain.example.com/success.php');
} else {
$msg = "Invalid username / password";
echo $msg;
}
}else{
?>
<html>
Form...
</html>
<?php } ?>
Are my LDAP filters wrong, or why aren't they applied? I also tried to allow only some users to access, but that didn't work either. Whatever filter I set, every user can login (with correct credentials ofc.).
Thanks for all answers in advance, if you need any further info/logs, please tell me
###Setup:
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
nginx version: nginx/1.14.2
PHP 7.3.19-1~deb10u1 (cli) (built: Jul 5 2020 06:46:45) ( NTS )
PHP 7.3.19-1~deb10u1 (fpm-fcgi) (built: Jul 5 2020 06:46:45)
My Answer:
"developers" should be able to log in. Here is my nginx configuration:
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param LDAP_FILTER "(&(objectClass=user)(memberOf=CN=developers,OU=Groups,DC=example,DC=com))";
}
However, when I try to log in with a user that is not in the "developers" group, I am still able to log in successfully. I have checked the LDAP server and the user is definitely not in the "developers" group.
I have also tried using the LDAP filter directly in my PHP code, and it works as expected. So it seems like the issue is with how nginx is handling the LDAP filter.
Any help or suggestions on how to troubleshoot this issue would be greatly appreciated. Thank you.
Rate this post
3 of 5 based on 3889 votesComments