Hi fellow CodeIgniters. I have made a little plugin that might benifit others than myself.
It’s called ADSI and lets you check if the currently logged on Windows Authenticated user (for a PHP site running on Windows IIS) is member of a local group.
I’ve been a Windows developer until recently, and my knowledge on PHP is limited to say the least. But I am willing to learn and share, so please have a look and tell me if you can use this too.
How to use
1. Copy ADSI.php to libraries.
2. Copy this code to config/config.php:
/*
|--------------------------------------------------------------------------
| ADSI group membership validation
|--------------------------------------------------------------------------
|
| Windows authenticated user must be member of one of these groups to gain access.
| This config setting is used for running ADSI->isMemberOrDie on the constructor.
|
| You can leave this array empty and still call the ADSI->isMemberOrDie or
| ADSI->isMember functions.
|
|
*/
$config['adsi_group_membership'] = array(
'administrators',
'supersite user group'
);
If you use the above code as is, users that are member of administrators and supersite user group will be granted to run the site, while others - though successfully logged on - will be rejected with a die message inside ADSI.php.
Leave the array empty if you want to let all authenticated users in. You can then use the ADSI->isMember or ADSI->isMemberOrDie functions to validate access on specific controllers.
ADSI.php-code
<?php
if (! defined('BASEPATH'))
exit('No direct script access allowed');
/**
* ADSI class that validates if user is member of group.
*
* @category ADSI
* @name ADSI.php
* @version 1.0
* @author Original code from http://www.phpclasses.org/package/1556-PHP-Validate-the-access-using-Windows-Active-Directory.html
* Modified and adapted to CodeIgniter by Simon Pedersen @nitech
*/
class ADSI
{
private $username;
private $objGroup;
private $grupo;
private $objUser;
public function __construct()
{
$this->CI = & get_instance();
// get roles from config file - if any roles defined
$roles = $this->CI->config->item('adsi_group_membership');
if (count($roles) > 0)
{
$validAccess = false;
foreach ($roles as $role)
{
if ($this->isMember($role)) $validAccess = true;
}
if (!$validAccess)
{
die("<h2>The user ".$this->objUser->fullname." is not allowed to execute this page.</h2>");
}
}
}
/*
| -------------------------------------------------------------------
| isMemberOrDie
| -------------------------------------------------------------------
| Stop immediately if user is not member of provided group.
|
*/
function isMemberOrDie($group)
{
if (!$this->isMember($group))
{
die ("<h2>The user ".$this->objUser->fullname." is not allowed to execute this page.</h2>");
}
}
/*
| -------------------------------------------------------------------
| isMember
| -------------------------------------------------------------------
| Check if user is member of locally stored group.
|
*/
function isMember($group){
set_time_limit(0);
/* First, we have to convert "DOMAIN\\user" format to "DOMAIN//user" format */
/* in order the user to be recognized by the COM object */
$this->username = str_replace(chr(92),chr(47),$_SERVER['REMOTE_USER']);
/* Second, we must replace the "//" with "/" */
$this->username = str_replace("//","/",$this->username);
$this->username = "WinNT://".$this->username;
// use user path as base for making workgroup path
$arr = explode('/',str_replace('WinNT://', '', $this->username));
$this->objGroup = "WinNT://WORKGROUP/".$arr[0].'/'.$group;
//echo("WinNT://WORKGROUP/".$arr[0].'/'.$group);
//$this->objGroup = "WinNT://./".$group.",group";
$this->grupo = new COM($this->objGroup);
$this->objUser = new COM($this->username);
// Uses the ADSI group object's IsMember function to validate if user is member.
// Google WinNT ADSI examples to find other examples of how to use this API.
if (!($this->grupo->IsMember($this->objUser->ADsPath)))
return false;
else
return true;
}
}