Display all Active Directory groups that a user is a member of recursively

Question

I have the below script that checks AD access and then also within a specific group, to check membership.

How can I display every single group that a user has access to including ones that are not direct - for example - user - userA, in group - groupA, and also groupA in in groupB, I want it to display groupB as well as groupA

What am I missing ?

<?php
        //ini_set('display_errors', 1);
        session_start();
        //ini_set('display_startup_errors', 1);
        //error_reporting(E_ALL);
//      require_once('assets/config.php');

        $ldap_server = "ldap*************************";


 if(isset($_SESSION['itssd_user'])) {
    $submittedusername = $_SESSION['itssd_user'];
 }
 if(isset($_SESSION['itssd_pw'])) {
    $submittedpassword = $_SESSION['itssd_pw'];
 }


        //$ro_access_group='CN=****,OU=Service Desk,OU=Customer Services,OU=ITS,OU=Groups,DC=registry,DC=otago,DC=ac,DC=nz';
        $ro_access_group='DC=registry,DC=otago,DC=ac,DC=nz';
        // Connect to the LDAP server
        $ldap = ldap_connect($ldap_server);

function inGroup($ldapConnection, $userDN, $groupToFind) {
    $filter = "(memberof:1.2.840.113556.1.4.1941:=".$groupToFind.")";
    $search = ldap_search($ldapConnection, $userDN, $filter, array("dn"), 1);

    $items = ldap_get_entries($ldapConnection, $search);
    echo "<pre>";
        echo var_dump($items)."<br>";
    echo "</pre>";
    if(!isset($items["count"])) {
        return false;
    }
    return (bool)$items["count"];
}
        if ($ldap) {
                // Connect to the database for querying.
//              $dbConn = connectDB();
                //$dn = "cn=" . $submittedusername . ",ou=Users,ou=Otago,dc=registry,dc=otago,dc=ac,dc=nz";

                $dn = "registry\\".$submittedusername;

                $basedn = "dc=registry,dc=otago,dc=ac,dc=nz";
                if (($submittedpassword == "") OR ($submittedpassword == NULL)) {
                        $loginResult = 'INVALIDUSER';
                } else {
                        // Now attempt to bind
                        if (ldap_bind($ldap, $dn, $submittedpassword)) {
                                $search_user=ldap_search($ldap, $basedn, "(sAMAccountName=".$submittedusername.")");
                                if($search_user){
                                echo 'Authenticated';
                                }

                                $user_details=ldap_get_entries($ldap, $search_user);
                                //$ro_name=$user_details[0]["displayname"][0];
                                if(!$user_details){
                                        $loginResult = "INVALIDUSER";
                                        echo 'null user details<br>'.sizeof($user_details);
                                }
                                else{
                                        //echo "<pre>";
                                            //echo var_dump($user_details[0])."<br>";
                                        //echo "</pre>";

                                         if(isset($user_details[0]["memberof"][0])) {
                                        $groupCount = $user_details[0]["memberof"]["count"] - 1;
                                        for ($i = 0; $i <= $groupCount; $i++) {
                                            echo $user_details[0]["memberof"][$i];
                                            echo "<br>";
                                        }
                                    }
                                        $_SESSION['itssd_email_messages_count'] = 0;
                                        $_SESSION['itssd_notifications_count'] = 0;
                                        $_SESSION['itssd_username'] = $submittedusername;
                                        $_SESSION['itssd_date_view'] = date('Y-m-d', time());
                                        $_SESSION['itssd_prod'] = FALSE;
                                        if (inGroup($ldap, $user_details[0]["dn"], $ro_access_group)) {
                                                $loginResult = "Authorised";
                                        } else {
                                                //echo "<br/><br/><br/>".$submittedusername." not in group ".$ro_access_group;
                                                //echo "<br/>".$user_details[0]["memberof"];
                                                //echo var_dump($user_details[0]["memberof"]);
                                                //echo "<br/><br/>";
                                                echo inGroup($ldap, $user_details[0]["dn"], $ro_access_group);
                                                $loginResult = "INVALIDUSER";
                                        }
                                }
                        } else {
                                $loginResult = 'INVALIDUSER';
                        }
                        $submittedpassword = NULL;
                }
                echo $loginResult;

        }
?>

Answer 1

In your inGroup method use this for your filter instead:

$filter = "(&(distinguishedName=$groupToFind)(member:1.2.840.113556.1.4.1941:=$userDN))";

The will select the group by DN first then check to see if it contains a member recursively by its DN.

Edit

If you want the search to return all groups the user is a member of use this filter:

$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";

like:

$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";
$search = ldap_search($ldapConnection, 'DC=registry,DC=otago,DC=ac,DC=nz', $filter, array("cn"));

$allGroups = ldap_get_entries($ldapConnection, $search);

The $allGroups above will container every group a user is a member of either directly or indirectly (such as a group that is a member of a different group, etc). However, is DC=registry,DC=otago,DC=ac,DC=nz really the "base" level of your domain? That should be the second argument to ldap_search.