Before I start, I apologize for the lengthy explanation...
At work we have a small web app that keeps track of some training and stuff given to the agents. I'm re-writing this app and I'm moving all user management out of the app, since the company uses LDAP I'm using it to authenticate the users. The reason of moving user management out of the app is that there were at least 3 DBs with usernames/passwords and it was hard to keep them synced.
I can do some basic authentication when the user logs in, but then in most of the pages I have to display a list of a subset of the agents. In the local DB we used to have an agent table with fields like id, name, username, password, team_id, disabled, temporarely_not_scheduled, etc.
I now have id, username, team_id on that table as I'm relying on LDAP for the rest of the info.
In most pages I have to list a group of users and I'm currently checking that each user is part of a certain group in LDAP, but then the site performs really slow.
These are the functions I use:
/**
* Validates user login
* @param $username
* @param $passwd
* @return true on sucess
*/
function login($username, $passwd){
if(!$this->isInLDAP($username, $passwd)){
return false;
}
if(!$this->isInLDAPGroup($username, config::LDAP_AGENTS) && !$this->isInLDAPGroup($username, config::LDAP_FTE_ALL)){
return false;
}
return true;
}
/**
* Validates the user in the LDAP server
* @param $username Username
* @param $password Password
* @return true if user exists with given password
*/
function isInLDAP($username, $password){
$ldap = ldap_connect(config::LDAP_SERVER);
return @ldap_bind($ldap, $username . "@" . config::LDAP_SERVER, $password);
}
/**
* Checks if user is in given ldap group
* @param string $username
* @param string $group
*/
function isInLDAPGroup($username, $group){
//connect to the LDAP server for group checking
$ld_connect = @ldap_connect(config::LDAP_SERVER);
$bind = @ldap_bind($ld_connect, config::LDAP_USER, config::LDAP_PASS);
$ld_filter = "(cn=$username)";
$ld_data = array("memberof");
$ld_sr = ldap_search($ld_connect, config::LDAP_BASE_DN, $ld_filter, $ld_data);
$ld_info = ldap_get_entries($ld_connect, $ld_sr);
if(!isset($ld_info[0]['memberof']['count'])){
return false; // No group info
}
//search through list of groups
for ($x = 0; $x < $ld_info[0]['memberof']['count']; $x++){
if ($ld_info[0]['memberof'][$x] == $group){
return true;
}
}
return false;
}
In my local DB I have about 1,000 records out of which only ~130 are active and are on LDAP.
Every time I need to query for a group of users I run something like this:
SELECT username FROM agent_main WHERE team_id = 1
and then I iterate through the results and run my isInLDAPGroup() function sending the username and one of my static vars (config::LDAP_AGENTS)
By doing this I don't need to see if the agent is disabled or temporarily_not_schedule, since those agents are removed from LDAP.
The problem is that I can't query LDAP for a specific group of users (let's say for what team_id=1 would give me). I should also mention that we're part of a huge company, so the Directory is pretty big.
Talking with some people (with the same small amount of knowledge that I have) we though of creating a local cache of the agents that are part of the two groups that my organization is part of. Something like creating/updating a table with just usernames of people that are part of those groups, this process would need to be running periodically on the server... OR I could create a cache for every user that logs in. I was thinking that I could store those usernames on the $_SESSION var (about ~130 names) if SESSION can hold that much info.
Either way I don't know if any of these ideas are good.
Any suggestions? What would you recommend?
