Login only possible with specific Group

Scriptcase 9 General
#1

Hello everyone,

How can I restrict login access to a specific group only?

Here is my code:

$login		= {login};
$pswd		= {pswd};
 
$options = array(
	'domain_controllers' => array('222.234.21.3'),
    'base_dn' => 'OU=Test,´OU=ADB-Gruppen,DC=ade,DC=ddd,DC=cc',
    'account_suffix' => '@ade.ddd.cc',
	'admin_username' => $login,
    'admin_password' => $pswd,
	'ad_port' => 636
);
$ldapConn	= sc_ldap_login($options);
 
if($ldapConn === false)
{
	sc_log_add('Login Fail', {lang_login_fail} . {login});
	sc_error_message({lang_error_login});
	sc_error_exit();
}
else
{
	$user_filter = {login};
	if(strpos($user_filter, "\\") !== false)
	{
		$user_filter = substr($user_filter, strpos($user_filter, "\\")+1);
	}
	$filter = "(|(samaccountname=".$user_filter . ")(uid=".$user_filter.")(userprincipalname=".$user_filter."))";
	$dn = "";
	if(strpos($login, '=') !== false)
	{
		$dn     = $login;
		$filter = "all";
	}
	$result = sc_ldap_search($filter, array('mail', 'displayname', 'cn', 'givenname'), $dn);
	[usr_login] = {login};	
	[usr_name]  = {login};
	if(isset($result[0]['displayname'][0]))
	{
		[usr_name] = $result[0]['displayname'][0];
	}
	elseif(isset($result[0]['cn'][0]))
	{
		[usr_name] = $result[0]['cn'][0];
	}
	elseif(isset($result[0]['givenname'][0]))
	{
		[usr_name] = $result[0]['givenname'][0];
	}
	[usr_email] = (isset($result[0]['mail'][0]) ? $result[0]['mail'][0] : '');
	// Erfolgreicher Login: Weiterleitung zur Hauptanwendung
    //sc_set_global("is_authenticated", true); // Login-Status global speichern
    //sc_redir('BLP_Auswahlmenue');            // Weiterleitung nach Login
}

What do I need to adjust in the code?

Thanks in advance!

#2

I used something like, put it somewhere after the AD bind call or in your case, should be in your “else” block

$attr = array("memberof","mail","displayname","givenname","sn");
$result = ldap_search($ad, $basedn, $filter, $attr) or die('Unable to search LDAP server.');
$entries = ldap_get_entries($ad, $result);
ldap_unbind($ad);

// check groups
foreach($entries[0]['memberof'] as $grps) {
	if(strpos($grps, 'group_name_here')) {
		$access_allowed = 1;
		break;
	}
}
#3

like this? Im new in scriptcase:

$login = {login};
$pswd = {pswd};

$options = array(
    'domain_controllers' => array('222.234.21.3'),
    'base_dn' => 'OU=Test,OU=ADB-Gruppen,DC=ade,DC=ddd,DC=cc',
    'account_suffix' => '@ade.ddd.cc',
    'admin_username' => $login,
    'admin_password' => $pswd,
    'ad_port' => 636
);
$ldapConn = sc_ldap_login($options);

if ($ldapConn === false) {
    sc_log_add('Login Fail', {lang_login_fail} . {login});
    sc_error_message({lang_error_login});
    sc_error_exit();
} else {
    $user_filter = {login};
    if (strpos($user_filter, "\\") !== false) {
        $user_filter = substr($user_filter, strpos($user_filter, "\\") + 1);
    }
    $filter = "(|(samaccountname=" . $user_filter . ")(uid=" . $user_filter . ")(userprincipalname=" . $user_filter . "))";
    $dn = "";
    if (strpos($login, '=') !== false) {
        $dn = $login;
        $filter = "all";
    }
    $result = sc_ldap_search($filter, array('mail', 'displayname', 'cn', 'givenname', 'memberof'), $dn);

    if (isset($result[0])) {
        $entries = $result;

        // Prüfen, ob der Benutzer in der richtigen Gruppe ist
        $access_allowed = 0;
        if (isset($entries[0]['memberof'])) {
            foreach ($entries[0]['memberof'] as $grps) {
                if (strpos($grps, 'group_name_here') !== false) { 
                    $access_allowed = 1;
                    break;
                }
            }
        }

        if ($access_allowed === 0) {
            sc_error_message('Access denied. You are not a member of the required group.');
            sc_error_exit();
        }

        // Benutzerinformationen speichern
        [usr_login] = {login};
        [usr_name]  = isset($entries[0]['displayname'][0]) ? $entries[0]['displayname'][0] : {login};
        [usr_email] = isset($entries[0]['mail'][0]) ? $entries[0]['mail'][0] : '';

        // Weiterleitung nach erfolgreichem Login
        // sc_set_global("is_authenticated", true); // Login-Status global speichern
        // sc_redir('BLP_Auswahlmenue');            // Weiterleitung nach Login
    } else {
        sc_error_message('Unable to fetch user details.');
        sc_error_exit();
    }
}
#4

I think that should work, you don’t need the line $entries = $result, you can use $result

$result =  sc_ldap_search($user_filter, array('mail', 'displayname', 'cn', 'givenname', 'samaccountname','memberof'));
	foreach($result[0]['memberof'] as $grps) {
		if(strpos($grps, 'group_name_here')) {
			$access_allowed = 1;
			break;
		}
	}
#5

I changed the code as follows:

 $login = {login};
 $pswd = {pswd};

$options = array(
    'domain_controllers' => array('222.223.42.33'),
    'base_dn' => 'OU=Applications,OU=TEST-Groups,DC=abc,DC=edf,DC=eg',
    'account_suffix' => '@abc.edf.eg',
    'admin_username' => $login,
    'admin_password' => $pswd,
    'ad_port' => 636
);
$ldapConn = sc_ldap_login($options);

if ($ldapConn === false) {
    // Debugging
    // echo "<pre>LDAP connection failed.</pre>";
    sc_log_add('Login Fail', {lang_login_fail} . {login});
    sc_error_message({lang_error_login});
    sc_error_exit();
} else {
    // Debugging
    // echo "<pre>LDAP connection successful.</pre>";
    
    $user_filter = {login};
    if (strpos($user_filter, "\\\\") !== false) {
        $user_filter = substr($user_filter, strpos($user_filter, "\\") + 1);
    }
    $filter = "(|(samaccountname=" . $user_filter . ")(uid=" . $user_filter . ")(userprincipalname=" . $user_filter . "))";
    $dn = "";
    if (strpos($login, '=') !== false) {
        $dn = $login;
        $filter = "all";
    }
    // $filter = "(&(samaccountname=" . $user_filter . "))";
    // Debugging
    // echo "<pre>Filter: " . htmlspecialchars($filter) . "</pre>";
    
    // Debugging: Print LDAP result
    // echo "<pre>Filter: " . htmlspecialchars($filter) . "</pre>";

    // &$result = sc_ldap_search($filter, array('mail', 'displayname', 'cn', 'givenname', 'memberof'), $dn);
    $result = sc_ldap_search($user_filter, array('mail', 'displayname', 'cn', 'givenname', 'samaccountname', 'memberof'));
    
    // Check if the user is in the correct group
    $access_allowed = 0;
    foreach ($result[0]['memberof'] as $grps) {
        if (strpos($grps, 'TEST') !== false) {
            $access_allowed = 1;
            break;
        }
    }
    // Store user information
    [usr_login] = {login};
    [usr_name]  = isset($result[0]['displayname'][0]) ? $result[0]['displayname'][0] : {login};
    [usr_email] = isset($result[0]['mail'][0]) ? $result[0]['mail'][0] : '';
}

Problem:
Users who are not part of the “TEST” group can still log in, and I can’t figure out why.

Does anyone have an idea what might be causing this behavior? Any help is appreciated!

#6

Now I have done this, but now I cannot log in with any user

if ($ldapConn === false) {
    // LDAP Verbindung fehlgeschlagen
    echo "<pre>LDAP connection failed.</pre>";
    sc_log_add('Login Fail', {lang_login_fail} . {login});
    sc_error_message({lang_error_login});
    sc_error_exit();
} else {
    // LDAP Verbindung erfolgreich
    echo "<pre>LDAP connection successful.</pre>";
    $user_filter = {login};
    if (strpos($user_filter, "\\\\") !== false) {
        $user_filter = substr($user_filter, strpos($user_filter, "\\") + 1);
    }
    $filter = "(|(samaccountname=" . $user_filter . ")(uid=" . $user_filter . ")(userprincipalname=" . $user_filter . "))";
    $dn = "";
    if (strpos($login, '=') !== false) {
        $dn = $login;
        $filter = "all";
    }

    // Debugging: Filter anzeigen
    echo "<pre>Filter: " . htmlspecialchars($filter) . "</pre>";
    echo "<pre>Base DN: " . htmlspecialchars($options['base_dn']) . "</pre>";
    
    $result = sc_ldap_search($filter, array('mail', 'displayname', 'cn', 'givenname', 'samaccountname', 'memberof'), $dn);
    
    // Debugging: LDAP-Suchergebnisse anzeigen
    if ($result === false) {
        echo "<pre>LDAP search failed.</pre>";
    } else {
        echo "<pre>LDAP Search Result: " . print_r($result, true) . "</pre>";
    }

    // Überprüfen, ob das Attribut 'memberof' vorhanden ist
    $access_allowed = 0;
    if (isset($result[0]['memberof'])) {
        foreach ($result[0]['memberof'] as $grps) {
            // Debugging: Anzeigen jeder Gruppe
            echo "<pre>Group: " . htmlspecialchars($grps) . "</pre>";
            if (strpos($grps, 'CN=test') !== false) {
                $access_allowed = 1;
                break;
            }
        }
    } else {
        // Debugging: 'memberof'-Attribut nicht gefunden
        echo "<pre>'memberof' attribute not found.</pre>";
    }

    if ($access_allowed === 1) {
        // Benutzer ist in der richtigen Gruppe
        echo "<pre>User is in the correct group.</pre>";
        [usr_login] = {login};
        [usr_name]  = isset($result[0]['displayname'][0]) ? $result[0]['displayname'][0] : {login};
        [usr_email] = isset($result[0]['mail'][0]) ? $result[0]['mail'][0] : '';
    } else {
        // Zugriff verweigert
        echo "<pre>Access denied. User not in the correct group.</pre>";
        sc_log_add('Login Fail', 'User not in correct group: ' . {login});
        sc_error_message('Access denied. User not in the correct group.');
        sc_error_exit();
    }
}

LDAP Connection is succesfull
I am completely lost as to what to do.

#7

try to see what your output for $grps

#8

I get nothing with this
echo "<pre>Group: Test 2" . htmlspecialchars($grps) . "</pre>";

If possible, can you send me your full code, like you did with LDAP?

#9

Ok, I changed my code to this, but it still does not work

$login		= {login};
$pswd		= {pswd};
 
$options = array(
    'domain_controllers' => array('222.22.2.33'),
    'base_dn' => 'DC=asd,DC=ead,DC=fe',
    'account_suffix' => '@asd.ead.fe',
    'admin_username' => $login, 
    'admin_password' => $pswd,
    'ad_port' => 636
);

// LDAP Verbindung herstellen
$ldapConn = sc_ldap_login($options);

if ($ldapConn === false) {
    echo "<pre>LDAP connection failed.</pre>";
    sc_error_message('LDAP connection failed.');
    sc_error_exit();
} else {
    echo "<pre>LDAP connection successful.</pre>";

    // Benutzername für den Filter bereinigen
    $user_filter = {login};
    if (strpos($user_filter, "\\") !== false) {
        $user_filter = substr($user_filter, strpos($user_filter, "\\") + 1);
    }
	
    // Debugging: Benutzerfilter anzeigen
    echo "<pre>User filter: " . htmlspecialchars($user_filter) . "</pre>";	
	
	// 1. Gruppenabfrage
	$group_filter = "(memberOf=CN=TEST,OU=BBB,OU=DD-Gruppen,DC=asd,DC=ead,DC=fe)";
	$group_result = sc_ldap_search($group_filter, array('cn'), $options['base_dn']);
	
    // Debugging: Gruppenabfrage-Ergebnisse anzeigen
    echo "<pre>Group Result: </pre>";
    print_r($group_result);


	
	if ($group_result === false || empty($group_result)) {
		sc_error_message('Access denied. You are not a member of any group');
    		sc_error_exit();
	}

	// Gruppen prüfen und durchsuchen
	$access_allowed = 0;
	foreach ($group_result as $group) 
	{
		if (strpos($group['cn'][0], 'TEST') !== false)
		{
			$access_allowed = 1;
			break;
		}
	}
	
	if ($access_allowed === 0) 
	{
		sc_error_message('Access denied. You are not a member of the required group.');
		sc_error_exit();
	}
	
	// 2. Benutzerabfrage
    $filter = "(|(samaccountname=" . $user_filter . ")(uid=" . $user_filter . ")(userprincipalname=" . $user_filter . "))";
    $user_result = sc_ldap_search($filter, array('mail', 'displayname', 'cn', 'givenname', 'memberof'), $options['base_dn']);

    // Debugging: Benutzerabfrage-Ergebnisse anzeigen
    echo "<pre>User Result: </pre>";
    print_r($user_result);	
	
    if (isset($user_result[0])) {
        // Benutzerinformationen speichern
        [usr_login] = {login};
        [usr_name]  = isset($user_result[0]['displayname'][0]) ? $user_result[0]['displayname'][0] : {login};
        [usr_email] = isset($user_result[0]['mail'][0]) ? $user_result[0]['mail'][0] : '';
    } else {
        sc_error_message('Unable to fetch user details.');
        sc_error_exit();
    }
}

I always get the error from the if with the group_result, but the user is in the right group.

#10 
$login		= {login};
$pswd		= {pswd};
$options = array(
	'domain_controllers' => array('dc1.abc.abc','dc2.abc.abc'),
    'base_dn' => 'OU=users,OU=abc,DC=def,DC=def,DC=abc',
    'account_suffix' => '@abc.abc',
	'admin_username' => $login,
    'admin_password' => $pswd,
	'ad_port' => 389
);

$ldapConn = sc_ldap_login($options);

$user_filter = "(|(cn=".$login . ")(uid=".$login.")(userprincipalname=".$login."))";
$result =  sc_ldap_search($user_filter, array('mail', 'displayname', 'cn', 'givenname', 'samaccountname','memberof'));
foreach($result[0]['memberof'] as $grps) {
	if(strpos($grps, 'vip_group')) {
		$access_allowed = 1;
		//debug
		echo $login;
		break;
	}
}

This is what I have.
if you’re logging in as the user in “vip_group”, the code above will show the username.
also verify that you actually have value for $result[0][‘memberof’], use var_dump() or something.

#11

Both users can still log in. I think there is something wrong with my LDAP

Edit:
Its working, it was the base_dn, only the dc was supposed to be there.

1 Like