salman1karim
10-31-2013, 08:51 AM
I am trying to give user access through the ldap authentication but its not working. Even user put the wrong password it will authenticate to the user. please see the below script.
<?php
$server="XXX.XXX.XXX.XXX"; //change to ip address of ldap server
$basedn="ou=users, ou=accounts, dc=test.com, dc=com"; //change to reflect the ou and domain that your users are in.
$script=$_SERVER['SCRIPT_NAME'];
if (isset($HTTP_COOKIE_VARS['cookie']))
{ //If cookie exists, retrieve it and put it in an array for use.
$cookie=$HTTP_COOKIE_VARS['cookie'];
}
if (isset($cookie))
{
$username=$cookie['user'];
$password=($cookie['token']);
$fullname=$cookie['fullname'];
$fqdn=$cookie['fqdn'];
$dn = "cn=$username, ";
if (!($connect = ldap_connect($server)))
{
die ("Could not connect to LDAP server");
}
if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password)))
{
die ("Could not bind to $dn$basedn");
}
}
else
{
if ((isset($_POST['username'])) && (isset($_POST['password'])))
{
$username=$_POST['username'];
$password=$_POST['password'];
$filter="(&(|(!(displayname=Administrator*))(!(displayname=Admin*)))(cn=$username))";
$dn = "cn=$username, ";
if (!($connect = ldap_connect($server)))
{
die ("Could not connect to LDAP server");
}
if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password)))
{
die ("Could not bind to $dn");
}
$sr = ldap_search($connect, $basedn,"$filter");
$info = ldap_get_entries($connect, $sr);
$fullname=$info[0]["displayname"][0];
$fqdn=$info[0]["dn"];
setcookie("cookie[user]",$username);
setcookie("cookie[token]",$password);
setcookie("cookie[fullname]",$fullname);
setcookie("cookie[fqdn]", $fqdn);
}
else
{
?>
<html>
<head>
<title>Portal Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
document.onmousedown=click;
function click()
{
if (event.button==2)
{
alert('Right-clicking has been disabled by the administrator.');
}
}
//-->
</SCRIPT>
<div align="center">
<form method="post" action="test/index.php">
<div align="center">
<table width="210" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
<fieldset>
<Legend><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Enter Credentials</font></Legend>
<table border="0" cellspacing="3" cellpadding="0">
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Username:</font></td>
<td align="center" valign="middle">
<input class="clear" type="text" size="15" name="username">
</td>
</tr>
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Password:</font></td>
<td align="center" valign="middle">
<input class="pass" type="password" size="15" name="password">
</td>
</tr>
</table>
<input type=image src="images/login.gif" alt="Login" name="image">
<br>
</div>
</td>
</tr>
</fieldset>
</table>
<br>
<table width="640"><tr><td align="center">
<font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="silver">This System is for the use of authorized users only. Individuals using this computer system without
authority, or in excess of their authority, are subject to having their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals
improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officals. This warning has been provided by the United States Department of Justice and is intended to ensure that monitoring of user activity is not in violation of the Communications Privacy Act of 1986.</font>
</td></tr></table>
</div>
</form>
</div>
</body>
</html>
<?php
die ();
}
}
?>
<?php
$server="XXX.XXX.XXX.XXX"; //change to ip address of ldap server
$basedn="ou=users, ou=accounts, dc=test.com, dc=com"; //change to reflect the ou and domain that your users are in.
$script=$_SERVER['SCRIPT_NAME'];
if (isset($HTTP_COOKIE_VARS['cookie']))
{ //If cookie exists, retrieve it and put it in an array for use.
$cookie=$HTTP_COOKIE_VARS['cookie'];
}
if (isset($cookie))
{
$username=$cookie['user'];
$password=($cookie['token']);
$fullname=$cookie['fullname'];
$fqdn=$cookie['fqdn'];
$dn = "cn=$username, ";
if (!($connect = ldap_connect($server)))
{
die ("Could not connect to LDAP server");
}
if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password)))
{
die ("Could not bind to $dn$basedn");
}
}
else
{
if ((isset($_POST['username'])) && (isset($_POST['password'])))
{
$username=$_POST['username'];
$password=$_POST['password'];
$filter="(&(|(!(displayname=Administrator*))(!(displayname=Admin*)))(cn=$username))";
$dn = "cn=$username, ";
if (!($connect = ldap_connect($server)))
{
die ("Could not connect to LDAP server");
}
if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password)))
{
die ("Could not bind to $dn");
}
$sr = ldap_search($connect, $basedn,"$filter");
$info = ldap_get_entries($connect, $sr);
$fullname=$info[0]["displayname"][0];
$fqdn=$info[0]["dn"];
setcookie("cookie[user]",$username);
setcookie("cookie[token]",$password);
setcookie("cookie[fullname]",$fullname);
setcookie("cookie[fqdn]", $fqdn);
}
else
{
?>
<html>
<head>
<title>Portal Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
document.onmousedown=click;
function click()
{
if (event.button==2)
{
alert('Right-clicking has been disabled by the administrator.');
}
}
//-->
</SCRIPT>
<div align="center">
<form method="post" action="test/index.php">
<div align="center">
<table width="210" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
<fieldset>
<Legend><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Enter Credentials</font></Legend>
<table border="0" cellspacing="3" cellpadding="0">
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Username:</font></td>
<td align="center" valign="middle">
<input class="clear" type="text" size="15" name="username">
</td>
</tr>
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Password:</font></td>
<td align="center" valign="middle">
<input class="pass" type="password" size="15" name="password">
</td>
</tr>
</table>
<input type=image src="images/login.gif" alt="Login" name="image">
<br>
</div>
</td>
</tr>
</fieldset>
</table>
<br>
<table width="640"><tr><td align="center">
<font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="silver">This System is for the use of authorized users only. Individuals using this computer system without
authority, or in excess of their authority, are subject to having their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals
improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officals. This warning has been provided by the United States Department of Justice and is intended to ensure that monitoring of user activity is not in violation of the Communications Privacy Act of 1986.</font>
</td></tr></table>
</div>
</form>
</div>
</body>
</html>
<?php
die ();
}
}
?>