Авторизация в Active Directory на PHP

ad.php
<?php
/**
 * Авторизация (auth) и информация о пользователе (info) через Active Directory
 * @example http://ad.site.ru/services/ad.php?action=auth&login=user&pwd=password&remote_addr=192.168.0.20
 * @example http://ad.site.ru/services/ad.php?action=info&login=user&remote_addr=192.168.0.20
 */
 
class LdapInfo {
 
  protected
    $ldapConnected = false,
    $ldapServer = 'organisation.local',
    $ldapDn = "DC=organisation,DC=local",
    $ldapUserDomain = 'organisation\\',
    // системный пользователь - для получения информации о любом пользователе без пароля
    $SYS_LOGIN = 'sysuser',
    $SYS_PWD = 'syspassword';
 
  public function run() {
    try {
      $this->getRequest();
 
      switch($this->ACTION) {
        // Проверка авторизации (логин-пароль)
        case 'auth':
          if (empty($this->LOGIN) || empty($this->PWD)) throw new Exception('EMPTY CREDS', 1);
          $this->ldapConnect();
          $this->ldapBind($this->LOGIN, $this->PWD);
          $resp = array('result' => 'success');
          break;
        // Информация о пользователе по логину
        case 'info':
          if (empty($this->LOGIN)) throw new Exception('EMPTY LOGIN', 1);
          $this->ldapConnect();
          $this->ldapBind($this->SYS_LOGIN, $this->SYS_PWD);
          $this->ldapSearch();
          $it = $this->ldapEntries[0];
          $resp = array(
            'result' => 'success',
            'samaccountname' => $it['samaccountname'][0],
            'displayname' => $it['displayname'][0],
            'company' => $it['company'][0],
            'mail' => $it['mail'][0],
            'lablecomputer' => $it['lablecomputer'][0],
            'department' => $it['department'][0],
            'description' => $it['description'][0],
          );
          break;
        default:
          $this->ACTION = 'Wrong action';
          throw new Exception('Wrong action', 1);
      }
      if($this->ldapConnected) { $this->ldapClose(); }
      syslog(LOG_INFO, "[AD][{$this->ACTION}][ok][remote_addr={$this->REMOTE_ADDR} login={$this->LOGIN}]");
      // header('HTTP/1.1 200 OK', true); // ХЗ почему, но если включить, file_get_contents($uri) будет тормозить, препарация курлом curl --verbose не выявила различий
      die(json_encode($resp));
    } catch (Exception $e) {
      if($this->ldapConnected) { $this->ldapClose(); }
      syslog(LOG_ERR, "[AD][{$this->ACTION}][error][remote_addr={$this->REMOTE_ADDR} login={$this->LOGIN}]: " . $e->getMessage());
      header('HTTP/1.1 403 Forbidden', true);
      die($e->getMessage());
    }
  }
 
  protected function getRequest() {
    $this->LOGIN = trim($_REQUEST['login']);
    $this->PWD = trim($_REQUEST['pwd']);
    $this->REMOTE_ADDR = trim($_REQUEST['remote_addr']);
    $this->ACTION = trim($_REQUEST['action']);
  }
 
  // соединение с сервером
  protected function ldapConnect() {
    $this->ldapconn = ldap_connect($this->ldapServer);
    if($this->ldapconn === false) {
      throw new Exception('LDAP FAILED');
    }
    ldap_set_option($this->ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($this->ldapconn, LDAP_OPT_REFERRALS, 0);
    $this->ldapConnected = true;
  }
 
  protected function ldapBind($LOGIN, $PWD) {
    $this->ldapbind = ldap_bind($this->ldapconn, $this->ldapUserDomain . $LOGIN, $PWD);
    if(!$this->ldapbind) throw new Exception('NOT FOUND', 2);
  }
 
  protected function ldapSearch() {
    $filter = '(&(objectCategory=user)(samaccountname=' . $this->LOGIN.'))';
    $sr = ldap_search($this->ldapconn, $this->ldapDn, $filter);
    $this->ldapEntries = ldap_get_entries($this->ldapconn, $sr);
    if($this->ldapEntries['count'] != 1) throw new Exception('TOO MANY RESULTS: ' . $this->ldapEntries['count'], 3);
  }
 
 
  protected function ldapClose() {
    ldap_close($this->ldapconn);
  }
 
}
 
$LdapInfo = new LdapInfo();
$LdapInfo->run();

Программа для просмотра LDAP

Печать/экспорт