Home/ Questions/Q 420
Next

StackOverflow Latest Questions

Saralyn
  • 0
  • 0
Begginer
Asked: 2025-01-14T03:27:07+00:00 In:

Add security group to folders in Active Directory with PHP / Symfony

  • 0
  • 0
Add security group to folders in Active Directory with PHP / Symfony

I have a Symfony webapp, hosted inside the company on Ubuntu, running Apache Webserver. I can create a folder on a network share (using icewind/smb) and I can create the RO- and RW-Groups inside the Active Directory (using the LDAP-Component from Symfony).

My problem for now is, that I cant find a way to add these groups as security group to the new folder.

Here is my code so far:

public function createLdapFolder(array $data): bool
{

    $prefixMapping = [
        'OU=Section1,OU=_Company,DC=company,DC=local' => 'S1_',
        'OU=Section2,OU=_Company,DC=company,DC=local' => 'S2_',
        'OU=Section3,OU=_Company,DC=company,DC=local' => 'S3_',
        'OU=Section4,OU=_Company,DC=company,DC=local' => 'S4_',
        'general' => 'All_',
        'scan' => 'Scan_',
        'appstorage' => '',
    ];

    $selectPrefix = $data['selectPrefix'];
    $folderName = $data['folderName'];

    if (!preg_match('/^[a-zA-Z0-9_\-]+$/', $folderName)) {
        throw new \InvalidArgumentException('Invalid Foldername.');
    }

    if (!isset($prefixMapping[$selectPrefix])) {
        $this->requestStack->getCurrentRequest()->getSession()->getFlashBag()->add(
        'error',
        'Invalid Section.'
        );
        return false;
    }

    $prefix = $prefixMapping[$selectPrefix];
    $completeFolderName = $prefix . $folderName;

    $serverFactory = new ServerFactory();
    $auth = new BasicAuth($_ENV['LDAP_USERNAME'], 'company', $_ENV['LDAP_PASSWORD']);
    $server = $serverFactory->createServer($_ENV['LDAP_IP'], $auth);

    $shares = $server->listShares();

    foreach ($shares as $shareName) {
        $shareName->getName();
    }

    if ($selectPrefix != 'appstorage') {
        $shareName = $_ENV['LDAP_SHARE_1'];
    } else {
        $shareName = $_ENV['LDAP_SHARE_APPSTORAGE'];
    }

    $share = $server->getShare($shareName);
    $share->mkdir($completeFolderName);
    
    $this->createLdapFolderGroups($folderName);
    
    return true;
    
}

public function createLdapFolderGroups(string $folderName): bool
{
    
    $baseDn = 'OU=Folder,' . $_ENV['LDAP_GLOBAL_GROUPS_BASE_DN'];

    $entryRO = new Entry('cn=GG_Folder_' . $folderName . '-RO,' . $baseDn, [
        'sAMAccountName' => ['GG_Folder_' . $folderName . '-RO'],
        'objectClass' => ['top', 'group'],
        'groupType' => [-2147483646], 
    ]);

    $entryRW = new Entry('cn=GG_Folder_' . $folderName . '-RW,' . $baseDn, [
        'sAMAccountName' => ['GG_Folder_' . $folderName . '-RW'],
        'objectClass' => ['top', 'group'],
        'groupType' => [-2147483646], 
    ]);

    try {

        $this->ldap->getEntryManager()->add($entryRO);
        $this->ldap->getEntryManager()->add($entryRW);


        $this->logger->info("Group GG_Folder_{$folderName}-RO created.");
        $this->logger->info("Group GG_Folder_{$folderName}-RW created.");

        return true;
    } catch (\Exception $e) {

        $this->logger->error("Error by creating group" . $e->getMessage());
        throw new \Exception("Error by creating group" . $e->getMessage());
        return false;
    }

}

I also have an very old code from a very old test project, but this code only worked if web webserver is hosted under a Windows-system, not linux.

$globalGroupsBaseDN = 'OU=GlobalGroups,DC=testdc,DC=local';
$groupName="GG_" . $folderName;

$groupRO = $groupName . '-RO';
$groupRW = $groupName . '-RW';

$newGroupRODN = 'CN=' . $groupRO . ',' . $globalGroupsBaseDN;
$newGroupRWDN = 'CN=' . $groupRW . ',' . $globalGroupsBaseDN;

$newGroupROAttributes['objectClass'] = ['group', 'top'];
$newGroupROAttributes['cn'] = $groupRO;
$newGroupROAttributes['sAMAccountName'] = $groupRO;

$newGroupRWAttributes['objectClass'] = ['group', 'top'];
$newGroupRWAttributes['cn'] = $groupRW;
$newGroupRWAttributes['sAMAccountName'] = $groupRW;

ldap_add($ldapConnection, $newGroupRODN, $newGroupROAttributes);
ldap_add($ldapConnection, $newGroupRWDN, $newGroupRWAttributes);


// Add security group to folder
$groupAttributeRO = [
'member' => [$newGroupRWDN]
];

$groupAttributeRW = [
'member' => [$newGroupRODN]
];

ldap_mod_add($ldapConnection, $existingFolderPath, $groupAttributeRO);
ldap_mod_add($ldapConnection, $existingFolderPath, $groupAttributeRW);

var_dump($existingFolderPath).'
';
var_dump($groupAttributeRO); exit;

// Set security
$permissionsRO = [
    'read',
    'list',
    'read_property',
    'execute',
];

$permissionsRW = [
    'write',
    'read',
    'list',
    'read_property',
    'execute',
    'delete',
];

$securityDescriptor="D:P(" . implode(',', $permissionsRO) . ')';
ldap_mod_replace($ldapConnection, $existingFolderPath, ['ntSecurityDescriptor' => [$securityDescriptor]]);

$securityDescriptorRW = 'D:P(' . implode(',', $permissionsRW) . ')';
ldap_mod_replace($ldapConnection, $existingFolderPath, ['ntSecurityDescriptor' => [$securityDescriptorRW]]);

Could anyone please help me to make it work under a Linux Webserver?

Share

Leave an answer

You must login to add an answer.

Need An Account,