PHP LDAP搜索问题(PHP LDAP search issue)

PHP LDAP搜索问题(PHP LDAP search issue)

我正在尝试第一次在一些PHP代码中使用LDAP。 我想确定某人是否是特定AD组的成员。

我拼凑了其他示例中的一些代码，这样运行没有错误，但是当用户实际上是该组的成员时，表示0结果。

这是我的代码：

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0) or die('Unable to set LDAP opt referrals'); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); if ($conn) { $dn = "DC=domain,DC=local"; // if (!($ldapc=ldap_bind($conn,'CN=Username,CN=Users,DC=domain,DC=local','P@ssw0rd'))) { if (!($ldapc=ldap_bind($conn,'username@domain.local','N0tMyP@ssw0rd'))) {

是完整的CN =，DC =等，还是@ domain.local这里的首选方法？

另外，我假设为成员资格执行的所有搜索都将针对ldap_bind（）验证的用户？

代码继续：

echo "<p>Error:" . ldap_error($conn) . "</p>"; echo "<p>Error number:" . ldap_errno($conn) . "</p>"; echo "<p>Error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $attributes = array("memberOf"); $filter = "(memberOf=myGroup,OU=Application Security,DC=domain,DC=local)"; $result = ldap_search($conn, $dn, $filter, $attributes); echo $result."<BR />"; $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.\n"; for ($i=0; $i < $info["count"]; $i++) { echo $info[$i]["ou"][0]; } } else { echo "<h4>Unable to connect to LDAP server</h4>"; } ldap_unbind($conn);

编辑：在下面的建议之后，我能够按预期工作。 以下是那些将受益的人的最终工作代码......

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0) or die('Unable to set LDAP opt referrals'); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); if ($conn) { $dn = "DC=domain,DC=local"; if (!($ldapc=ldap_bind($conn,'CN=Administrator,CN=Users,DC=domain,DC=local','password'))) { echo "<p>Error:" . ldap_error($conn) . "</p>"; echo "<p>Error number:" . ldap_errno($conn) . "</p>"; echo "<p>Error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $filter = "(memberOf=cn=Dashboard,OU=Application Security,DC=domain,DC=LOCAL)"; $result = ldap_search($conn, $dn, $filter); // $attributes = array('samaccountname'); //$result = ldap_search($conn, $dn, $filter, $attributes); $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.<br />"; for ($i=0; $i < $info["count"]; $i++) { echo $i . " " . $info[$i]["samaccountname"][0] . "<br />"; } } else { echo "<h4>Unable to connect to LDAP server</h4>"; } ldap_unbind($conn);

I'm trying for the first time to use LDAP in some PHP code. I want to determine if someone is a member of a particular AD group.

I've cobbled together some code from other examples and this runs without error, but indicates 0 results, when the user is in fact a member of the group.

Here is my code:

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0) or die('Unable to set LDAP opt referrals'); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); if ($conn) { $dn = "DC=domain,DC=local"; // if (!($ldapc=ldap_bind($conn,'CN=Username,CN=Users,DC=domain,DC=local','P@ssw0rd'))) { if (!($ldapc=ldap_bind($conn,'username@domain.local','N0tMyP@ssw0rd'))) {

Is the full CN=,DC=, etc or the @domain.local the preferred method here?

Also, I am assuming that all searches performed for membership will be against the user authenticated by the ldap_bind()?

code continues:

echo "<p>Error:" . ldap_error($conn) . "</p>"; echo "<p>Error number:" . ldap_errno($conn) . "</p>"; echo "<p>Error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $attributes = array("memberOf"); $filter = "(memberOf=myGroup,OU=Application Security,DC=domain,DC=local)"; $result = ldap_search($conn, $dn, $filter, $attributes); echo $result."<BR />"; $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.\n"; for ($i=0; $i < $info["count"]; $i++) { echo $info[$i]["ou"][0]; } } else { echo "<h4>Unable to connect to LDAP server</h4>"; } ldap_unbind($conn);

EDIT: After suggestions below, I was able to get this working as expected. Here is the final working code for those who would benefit...

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, LDAP_OPT_REFERRALS, 0) or die('Unable to set LDAP opt referrals'); ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); if ($conn) { $dn = "DC=domain,DC=local"; if (!($ldapc=ldap_bind($conn,'CN=Administrator,CN=Users,DC=domain,DC=local','password'))) { echo "<p>Error:" . ldap_error($conn) . "</p>"; echo "<p>Error number:" . ldap_errno($conn) . "</p>"; echo "<p>Error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $filter = "(memberOf=cn=Dashboard,OU=Application Security,DC=domain,DC=LOCAL)"; $result = ldap_search($conn, $dn, $filter); // $attributes = array('samaccountname'); //$result = ldap_search($conn, $dn, $filter, $attributes); $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.<br />"; for ($i=0; $i < $info["count"]; $i++) { echo $i . " " . $info[$i]["samaccountname"][0] . "<br />"; } } else { echo "<h4>Unable to connect to LDAP server</h4>"; } ldap_unbind($conn);

最满意答案

我个人更喜欢cn=...方式绑定到目录，因为它是通用的。 username@domain -version仅适用于AD。

绑定到目录的用户不是您正在查找组的用户，而是您正在查找信息的用户。

因此，当您绑定到LDAP-Server的用户无权查看组信息时，您将没有太多运气。 另一方面，如果您需要向用户登录，那么您正在查找组成员资格，只有在您知道用户密码时才能检索组成员资格。 Taht会有点奇怪，不是吗？

由于绑定到LDAP-Server的用户只需要具有LDAP服务器的读取权限，因此可以使用匿名绑定而无需真正的用户绑定。 然后，您只需省略ldap_bind上的用户和密码字段。 但这取决于服务器的设置。

要获取查询返回的结果数，您还可以使用ldap_count_entries($connectionHandle, $resultHandle)函数，但我认为您的搜索过滤器存在问题。

搜索过滤器必须包含查询。 在您的情况下，您只需提供一个字符串，但不要告诉LDAP-Server wwhich字段将其映射。 过滤器总是看起来像这样： <fieldname>=<querystring> 。 所以在你的情况下， memberOf=cn=mygroup,OU=Application Security,DC=domain,DC=local 。 不同之处在于该组由其完整的DN标识（我假设在这里）是cn=mygroup,OU=Application Security,DC=domain,DC=local - 您必须验证它！

该查询将返回作为该角色成员的所有用户。 它只会返回您已知的那些用户的memberOf -Attribute。 因此，您应该将$attributes留空或使用类似['cn', 'sAMAcountName', 'mail']来获取CN，用户ID和返回的电子邮件地址。

在第二步中，您将必须检查您要查找的用户是否实际位于返回的数组中。

或者你可以只搜索用户（过滤器将类似于mail=<email-address>或sAMAcountName=<user-ID>并返回memberOf值。然后你必须查看所需的组是否是其中一个memberOf -Entry中的那些。

害怕吗？ 不明白吗？ 别担心。 问！

Personally I prefer the cn=... way to bind to a directory as it's universal. The username@domain-version only works on AD.

And the user that binds to the directory is NOT the user you are looking up the groups for but the user you are looking up the information with.

So when the user you are binding to the LDAP-Server with doesn't have the right to see the group information you won't have much luck. On the other hand if you'd need to login with the user you are looking the group-memberships for you could only retrieve the group-memberships when you know the password of the user. Taht would be a bit strange, wouldn't it?

And as the user binding to the LDAP-Server only has to have read-permission to the LDAP-Server often it is possible to use an anonymous bind without the need for a real user to bind. You would then simply omit the user and password-fields on the ldap_bind. But that depends on the setup of the Server.

To get the number of results returned by your query you can also use the ldap_count_entries($connectionHandle, $resultHandle)-function but I assume that there is an issue in your search-filter.

The search-filter has to contain a query. In your case you just give a string but you don't tell the LDAP-Server wwhich field to map it against. The filter always looks something ike this: <fieldname>=<querystring>. So in your case that would be memberOf=cn=mygroup,OU=Application Security,DC=domain,DC=local. The difference being that the group is identified by it's complete DN which (I assume here) is cn=mygroup,OU=Application Security,DC=domain,DC=local - You'll have to verify that!

The query will return you all users that are a member of that role. And it will only return you the memberOf-Attribute of those users which you know already. So you should either leave the $attributes empty or use something like ['cn', 'sAMAcountName', 'mail'] to get the CN, the Users ID and the email-address returned.

In a second step you will then have to check whether the user you are looking for actually is in that returned array.

Alternatively you could just search vor the user (filter would be something like mail=<email-address> or sAMAcountName=<user-ID> and get the memberOf value returned. you will then have to look whether the required group is one of the ones in the memberOf-Entry.

Scared? Didn't understand it? Don't worry. Ask!