Domain (LDAP) Codeigniter Authentication

The article is aimed at beginners Codeigniter-schikov, like me.

In the process of creating an internal site of one of the Russian companies, it became necessary to restrict user access to certain pages and functions. Since all users are in the domain, it makes sense to use domain authentication on the site.
')
Finding information yourself is not difficult in principle. Search engines still no one canceled. I just decided to collect the found pieces and merge them into one, in Russian.

Assume that the CI is already installed and configured. By the way, on one of the western sites , there are many good and comprehensive video lessons on how to set up and use Codeigniter.

Add a library and configuration file

Of course, there are some functions in PHP itself, but using them is not always rational. Take the adLDAP library as a basis . It has everything you need and more.

First we create a configuration file, for example adldap.php and put it in \ system \ application \ config \

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

$config['account_suffix'] = '@dom.ru';
$config['base_dn'] = 'DC=dom,DC=ru';
$config['domain_controllers'] = array ("DC01.dom.ru");
$config['ad_username'] = 'web_user';
$config['ad_password'] = 'web_passS8';
$config['real_primarygroup'] = true;
$config['use_ssl'] = false;
$config['use_tls'] = false;
$config['recursive_groups'] = true;

Next you need to add a library. But how to make it so that it could be used in CI, like the rest? For us, this has already been done by one programmer, and provided for public use (he confirms that the license is not broken). We’ll add it to \ system \ libraries \ and name it, for example, Adldap.php.

After the above manipulations, the library can be used in Codeigniter, as well as others, for example:

$this->load->library('Adldap');
$this->adldap->authenticate($username, $password);

Let's write a small authorization code

Make it easy.
First, create a form for entering a login and password:

<form_ action = " info.dom.ru/login/gateway " method = "post">
<input_ name = "username" type = "text" value = "Login">
<input_ name = "password" type = "password" value = "Password">
<input_ type = "submit" name = "submit" value = "Enter" />
</ form_>

Secondly, the controller and the function itself for authorization in the domain. But the domain is large and there are many users and if you just check the password and login, then all members of the domain will have access to limited parts of the site.

For more fine-tuning, you need another parameter to check - the group (Active Directory). Let's call it, for example Web_Group, and add the users we need:

<?php
//
class login extends Controller {

// ,
function gateway() {

//
$this->load->library('Adldap');

//
$authUser = $this->adldap->authenticate($this->input->post('username'), $this->input->post('password'));

//
$groupinfo = $this->adldap->user_ingroup($this->input->post('username'), 'Web_Group', 'NULL');

// $authUser $groupinfo
if ($authUser === true and $groupinfo === true) {

// ,
$data = array('username' => $this->input->post('username'), 'usergroup_access' => 'Web_Group', 'is_logged_in' => true);
$this->session->set_userdata($data);
redirect();
} else {
echo " ";
}
}
}

That's all. Now, in any other function, you can make a check and, depending on the result, grant or not grant access.
It should look something like this:

function view_data() {

//
if ($this->session->userdata('is_logged_in') == true) {

echo " ";

} else {

echo " ";
}
}

Now it remains to add the function to destroy the session (Logout):

function logout() {
$this->session->sess_destroy();
redirect();
}

Thanks for attention.

UPD: found another interesting LDAP library .