Active Directory PHP Package

On the flip side of the Google Admin SDK, our user management interface at work interacts with Active Directory.  This allows us to create Web Access Control groups for users and assign those users to the groups within the interface so that any administrator (even those without knowledge of Active Directory or outside of the tech department) can quickly add users or block them from access to certain web sites.

Selection_069

Installation

This was built to comply with PSR-0 autoloading.  To use this, simply download the package from GitHub and put the /ActiveDirectory folder into your “Vendor” folder or a “Classes” folder, and then you can call the scripts from your favorite framework with your autoloader.

Usage

The config.php file contains the definitions for the Active Directory in this project.  My own framework contains a configuration file for all necessary systems that the interface touches.  To use, place these in your framework’s configuration file or, if it doesn’t use a configuration file, just include the file in the page that will access the package.

Initialize a connection

The __construct() uses the constants defined in the config.php file, so simply call:

$ad = new \ActiveDirectory\ActiveDirectory();

The AD object automatically binds to the server, so once you’ve created the object you can begin searching, creating and modifying users.

Each of the methods is written to return “true” if successful, and the error string if the operation failed. This way, you can use the following to check for errors:

$result = $ad->methodCall();
if($result !== true) {
	echo "Error: $error.";
}

Users

Create the User object:

$user = new \ActiveDirectory\User();

Search for a User

The user search function requires that you pass in the attributes you are searching for. It differs from the general usage in that it does not return “true” but returns an array of elements, the first of which is the user’s DN.

$attrs = array("givenname","sn","displayname","mail","userprincipalname",
    "useraccountcontrol","accountexpires","lastlogon","pwdlastset","pwdexpired","samaccountname");
$userResults = $ad->search('gktesterton',$attrs);

Create a User

When creating a user, send an array of elements to the add() method:

$userData = array(
    "samaccountname"=>"gktesterton",
    "givenname"=>"Tester",
    "sn"=>"Testerton",
    "mail"=>"gktesterton@yourdomain.com",
    "department"=>"Human Resources",
    "userId"=>"10013"
);
$new = $user->add($userData);

Change a User Password

To change a user password, you need to instantiate the Password object which requires the User object.

$pwd = new \ActiveDirectory\Password($user);
// the following generates a password for reset
$pwd->resetPassword($username);
// the following allows the user or admin to set the password
$pwd->resetPassword($username,$new_password);

Modify a User

Modifying a user requires an associative array of new key/value pairs.

$mods = array('givenName'=>'NewName','sn'=>'NewFamilyName');
$user->modify($username,$mods);

Groups

Search for a Group

Searching for a group only requires the name of the group you are searching for. This method also differs from the norm in that it doesn’t return true, but returns the group DN.

$groupResults = $group->search('Alumni');

Create a Group

Creating a group is very similar to creating a user.  There is only one required parameter (groupname), and you can optionally send a description.

// groupdesc is an optional parameter, but groupname is required
$groupData = array( 
  "groupname"=>"Alumni", 
  "groupdesc"=>"Active Directory Group for Alumni Resources" 
); 
$new = $group->add($groupData);

Modify a Group

Modifying a group only requires two strings, the old name and the new name.

$group->modify($oldGroupName,$newGroupName);

Remove a Group

This also only requires a string parameter, the name of the group to remove.

$group->remove($groupname);

UserGroup class

This class allows you to search for users in a group and add or remove them from that group.  It requires that you inject the User and Group object upon creation.

$user = new \ActiveDirectory\User();
$group = new \ActiveDirectory\Group();
$ug = new \ActiveDirectory\UserGroup($user,$group);

Search for User in a Group

If you just want to see if a user is in a group, we can use the userInGroup method, which takes two string parameters:

// returns true if user is in group, false otherwise
$ug->userInGroup($username,$groupname);

Add a User to a Group

Adding a user to a group also just takes two strings, username and group name:

// Returns true if successful, error message otherwise
$ug->addUserToGroup($username,$groupname);

Removing a User from a Group

Again, this also just takes two string parameters, username and group name:

// Returns true if successful, error message otherwise
$ug->removeUserFromGroup($username,$groupname);

Troubleshooting

The most common errors is an error after connecting to the AD and trying to modify or create items: “The server is unwilling to perform.”  This is a result of secure certificates not being loaded in your server’s ldap.conf file.  This article explains how to set that up.

Another issue is not properly loading the required classes (autoloaders will properly load the files), or not loading the config file with the connections to your AD server.

If both of these items are met, this package should allow you to manipulate users and groups at will.

Leave a Reply

Your email address will not be published. Required fields are marked *