Domain (LDAP) authentication in Codeigniter

The article is aimed at beginners Codeigniter-schiki, such as me.
In the process of creating the internal site of one of the Russian companies, there was a need to restrict user access to certain pages, functions. Since all users are in the domain, it makes sense to use domain authentication on the site.
Finding information on your own is, in principle, not difficult. Search engines have not been canceled yet. I just decided to collect the pieces I found and combine them into one, in Russian.
Assume that CI is already installed and configured. By the way, on one of the western sites , there are many good and comprehensive video tutorials on setting up and using Codeigniter.
Add the library and configuration file
Of course, there are some functions in PHP itself, but using them is not always rational. Let's take the adLDAP library as the basis . It has everything you need and more.
First, create a configuration file, for example, adldap.php and put it in \ system \ application \ config \ Next, you need to add the library. But how to make it so that it can be used in CI, like the rest? One programmer has already done this for us, and provided it for public use (he claims that the license is not violated). We will add it to \ system \ libraries \ and name it, for example Adldap.php. After the above manipulations, the library can be used in Codeigniter, as well as others, for example:
$config['account_suffix'] = '@dom.ru';
$config['base_dn'] = 'DC=dom,DC=ru';
$config['domain_controllers'] = array ("DC01.dom.ru");
$config['ad_username'] = 'web_user';
$config['ad_password'] = 'web_passS8';
$config['real_primarygroup'] = true;
$config['use_ssl'] = false;
$config['use_tls'] = false;
$config['recursive_groups'] = true;$this->load->library('Adldap');
$this->adldap->authenticate($username, $password);We will write a small authorization code
Make it easy.
First, create a form for entering a username and password:
Secondly, the controller and the function itself for authorization in the domain. But the domain is large and there are many users, and if you just check the password and login, then all members of the domain will have limited parts of the site.
For finer tuning, you need one more parameter to check - group (Active Directory). Let's name it, for example Web_Group, and add the users we need: That's all. Now, in any other function, you can check and, depending on the result, provide or not provide access. Approximately it should look like this: Now it remains only to add the function of destruction of the session (Logout): Thank you for your attention. UPD: found another interesting LDAP library .
//Создаем контроллер
class login extends Controller {
//Функция для проверки логина, пароля и группы
function gateway() {
//Подключаем библиотеку
$this->load->library('Adldap');
//Проверяем логин и пароль
$authUser = $this->adldap->authenticate($this->input->post('username'), $this->input->post('password'));
//проверяем наличие пользователя в группе
$groupinfo = $this->adldap->user_ingroup($this->input->post('username'), 'Web_Group', 'NULL');
//В случае если $authUser и $groupinfo истина
if ($authUser === true and $groupinfo === true) {
//Осталось только добавить информацию в массив сессии о том, что проверка успешна и доступ к определенным ресурсам открыт
$data = array('username' => $this->input->post('username'), 'usergroup_access' => 'Web_Group', 'is_logged_in' => true);
$this->session->set_userdata($data);
redirect();
} else {
echo "Ошибка авторизаци";
}
}
}function view_data() {
//Вытаскиваем и проверяем прошел или нет пользователь авторизацию
if ($this->session->userdata('is_logged_in') == true) {
echo "Доступ к данным открыт";
} else {
echo "Доступ закрыт";
}
}function logout() {
$this->session->sess_destroy();
redirect();
}