Welcome Guest, Not a member yet? Register   Sign In
Validate local Windows Group membership with ADSI->isMember
#1

[eluser]Unknown[/eluser]
Hi fellow CodeIgniters. I have made a little plugin that might benifit others than myself.

It's called ADSI and lets you check if the currently logged on Windows Authenticated user (for a PHP site running on Windows IIS) is member of a local group.

I've been a Windows developer until recently, and my knowledge on PHP is limited to say the least. But I am willing to learn and share, so please have a look and tell me if you can use this too.

How to use
1. Copy ADSI.php to libraries.
2. Copy this code to config/config.php:

Code:
/*
|--------------------------------------------------------------------------
| ADSI group membership validation
|--------------------------------------------------------------------------
|
| Windows authenticated user must be member of one of these groups to gain access.
| This config setting is used for running ADSI->isMemberOrDie on the constructor.
|
| You can leave this array empty and still call the ADSI->isMemberOrDie or
| ADSI->isMember functions.
|  
|
*/
$config['adsi_group_membership'] = array(
'administrators',
'supersite user group'
);

If you use the above code as is, users that are member of administrators and supersite user group will be granted to run the site, while others - though successfully logged on - will be rejected with a die message inside ADSI.php.

Leave the array empty if you want to let all authenticated users in. You can then use the ADSI->isMember or ADSI->isMemberOrDie functions to validate access on specific controllers.

ADSI.php-code
Code:
<?php
if (! defined('BASEPATH'))
    exit('No direct script access allowed');
    
/**
* ADSI class that validates if user is member of group.
*
* @category ADSI
* @name ADSI.php
* @version 1.0
* @author Original code from http://www.phpclasses.org/package/1556-PHP-Validate-the-access-using-Windows-Active-Directory.html
* Modified and adapted to CodeIgniter by Simon Pedersen @nitech
*/
  
class ADSI
{
  private $username;
  private $objGroup;
  private $grupo;
  private $objUser;
    
  public function __construct()
  {
$this->CI = & get_instance();

// get roles from config file - if any roles defined
$roles = $this->CI->config->item('adsi_group_membership');
if (count($roles) > 0)
{
  $validAccess = false;
  foreach ($roles as $role)
  {
   if ($this->isMember($role)) $validAccess = true;
  }
  
  if (!$validAccess)
  {
   die("<h2>The user ".$this->objUser->fullname." is not allowed to execute this page.</h2>");
  }
}
  }
  
/*
| -------------------------------------------------------------------
| isMemberOrDie
| -------------------------------------------------------------------
| Stop immediately if user is not member of provided group.
|
*/
function isMemberOrDie($group)
{
if (!$this->isMember($group))
{
  die ("<h2>The user ".$this->objUser->fullname." is not allowed to execute this page.</h2>");    
}
}

/*
| -------------------------------------------------------------------
| isMember
| -------------------------------------------------------------------
| Check if user is member of locally stored group.
|
*/
function isMember($group){
      set_time_limit(0);

      /* First, we have to convert "DOMAIN\\user" format to "DOMAIN//user" format */
      /* in order the user to be recognized by the COM object                     */
      $this->username = str_replace(chr(92),chr(47),$_SERVER['REMOTE_USER']);

      /* Second, we must replace the "//" with "/"  */
      $this->username = str_replace("//","/",$this->username);
      $this->username = "WinNT://".$this->username;

      // use user path as base for making workgroup path
      $arr = explode('/',str_replace('WinNT://', '', $this->username));
      $this->objGroup = "WinNT://WORKGROUP/".$arr[0].'/'.$group;

      //echo("WinNT://WORKGROUP/".$arr[0].'/'.$group);
      //$this->objGroup = "WinNT://./".$group.",group";

      $this->grupo = new COM($this->objGroup);
      $this->objUser = new COM($this->username);

      // Uses the ADSI group object's IsMember function to validate if user is member.
      // Google WinNT ADSI examples to find other examples of how to use this API.
      if (!($this->grupo->IsMember($this->objUser->ADsPath)))
            return false;
      else
            return true;
      }
}




Theme © iAndrew 2016 - Forum software by © MyBB