php ldap-bind过期密码 [英] php ldap-bind expired password
问题描述
我正在使用adldap插件连接到Windows Server AD,但据我所知,我的问题是php ldap_bind.
I am using the adldap plugin to connect to a Windows Server AD but my issue is with php ldap_bind as far as I can tell.
当用户输入错误的密码时,ldap_error(由adldap使用)返回的错误为无效凭据".到目前为止一切顺利.
When a user types in an incorrect password, the error returned from ldap_error (which is used by adldap) is 'Invalid Credentials'. So far so good.
当用户的密码过期或在AD中将用户设置为在下次登录时更改密码(新用户,密码重置等)时,就会出现问题.在这种情况下,无论用户输入用于验证的密码,ldap_error都会返回无效凭据".这意味着我无法确定用户是否真的知道过期的密码.
The problem arises when a user's password expires or in AD the user is set to change password on next logon (new user, password reset, etc). In this case whatever password the user enters to authenticate, ldap_error returns 'Invalid Credentials'. This means that I cannot tell if the user actually knows the expired password or not.
有人知道我如何解决这个问题吗?
Has anyone got any idea how I can get around this issue?
推荐答案
Since I had the same problem I searched and found a solution.
define(LDAP_OPT_DIAGNOSTIC_MESSAGE, 0x0032)
$handle = ldap_connect('ldap://active.directory.server/');
$bind = ldap_bind($handle, 'user', 'expiredpass');
if (ldap_get_option($handle, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
echo "Error Binding to LDAP: $extended_error";
} else {
echo "Error Binding to LDAP: No additional information is available.";
}
这将返回如下内容:
错误绑定到LDAP: 80090308:LdapErr:DSID-0C0903D0,注释:AcceptSecurityContext 错误,数据773 ,v2580
Error Binding to LDAP: 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 773, v2580
重要的部分是数据"之后的代码,它表示 LDAP子代码错误代码49 .
Important part is the Code after 'data' which represents the LDAP sub codes for error code 49.
您可以使用以下功能解析子代码:
You may parse the sub code using this function:
function parseExentedLdapErrorCode($message) {
$code = null;
if (preg_match("/(?<=data\s).*?(?=\,)/", $message, $code)) {
return $code[0];
}
return null;
}
这篇关于php ldap-bind过期密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
