问题描述
正如您在下面看到的,当我对安全组进行 LDAP 搜索时,我没有获得任何用户信息.我想使用 $_SERVER[remote_user]
来检查用户是否是该组的成员.我还想检索该用户的信息并用它更新 sql 数据库.这可能吗?
As you can see below I'm not getting any user info when I do a LDAP search to the security group. I want to use the $_SERVER[remote_user]
to check if the user is a member of this group. I would also like to retrieve the info of this user and update the sql database with it. Is this possible?
$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";
$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "username@mydomain.local", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);
print_r($entries);
返回这个:
Array
(
[count] => 1
[0] => Array
(
[objectclass] => Array
(
[count] => 2
[0] => top
[1] => group
)
[0] => objectclass
[cn] => Array
(
[count] => 1
[0] => Intra
)
[1] => cn
[description] => Array
(
[count] => 1
[0] => Group for (LDAP) INTRANET server access
)
[2] => description
[member] => Array
(
[count] => 4
[0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
[1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
[2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
[3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
)
[3] => member
[distinguishedname] => Array
(
[count] => 1
[0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
[4] => distinguishedname
[instancetype] => Array
(
[count] => 1
[0] => 4
)
[5] => instancetype
[whencreated] => Array
(
[count] => 1
[0] => 20100711172407.0Z
)
[6] => whencreated
[whenchanged] => Array
(
[count] => 1
[0] => 20100712063949.0Z
)
[7] => whenchanged
[usncreated] => Array
(
[count] => 1
[0] => 17491499
)
[8] => usncreated
[usnchanged] => Array
(
[count] => 1
[0] => 17498823
)
[9] => usnchanged
[name] => Array
(
[count] => 1
[0] => Intra
)
[10] => name
[objectguid] => Array
(
[count] => 1
[0] =>
)
[11] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
[12] => objectsid
[samaccountname] => Array
(
[count] => 1
[0] => Intra
)
[13] => samaccountname
[samaccounttype] => Array
(
[count] => 1
[0] => 268435456
)
[14] => samaccounttype
[grouptype] => Array
(
[count] => 1
[0] => -2147483646
)
[15] => grouptype
[objectcategory] => Array
(
[count] => 1
[0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
)
[16] => objectcategory
[count] => 17
[dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
)
当我使用正常的 DN 时一切正常:
Everything worked fine when I used the normal DN:
$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";
但是一位 AD 专家告诉我,这是一个很大的 NO-NO,我应该改用安全组:
But a AD expert told me this was a big NO-NO and that I should use Security Groups instead :
推荐答案
这样查询AD:
$dn = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr = ldap_search($ad, $dn, $filter);
查看关于 LDAP 的 MSDN 文章搜索过滤器语法 以获取有关更复杂过滤器的信息.
Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.
请务必注意该页面下方的特殊字符部分.正确的解决方案必须先通过转义机制传递 $group_DN
,然后才能在过滤器字符串中使用它!
Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN
through an escaping mechanism before using it in the filter string!
始终尝试构建尽可能具体的过滤器.让 LDAP 服务器整理出您不想要的记录会更有效,而不是通过网络传输的记录多于您需要的记录,然后在客户端丢弃其中的一半.
Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.
这篇关于如何使用 LDAP 和 PHP 从 Active Directory 安全组中检索用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!