PHP LDAP使用服务器的用户帐户绑定AD [英] PHP LDAP binding AD with the server's user account

问题描述

我有一些使用PHP和LDAP连接到AD的代码:

I have some code that uses PHP and LDAP to connect to AD:

$host = 'ldap://stack.overflow.com';
$port = 389;
$username = 'stackOverflow';
$password = 'IaMP4ssWord';
$dn = 'CN=Users, DC=STACK, DC=OVERFLOW, DC=COM';
$cond = '(&(objectcategory=user)(displayname=*))';//All users that have a displayname

if($ldap = ldap_connect($host, $port))
{
    if(ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
    {
        if(ldap_bind($ldap, $username, $password))
        {
            $attrs = array('displayname', 'mail');
            if($rs = ldap_search($ldap, $dn, $cond, $attrs))
            {
                $results = ldap_get_entries($ldap, $rs);
                echo "<pre>";print_r($result);echo "</pre>";//Print the results
            }
        }
        else
        { echo 'Binding failed';}
    }
    else
    { echo 'Setting options failed';}
}
else
{ echo 'Connection failed'; }

现在此代码可以正常工作了.它打印出在AD中具有显示名称的每个用户. 问题在于用户名/密码绑定，我正在使用自己的用户凭证绑定到服务器.

Now this code works just fine. It print out every user that has a displayname in AD. Problem is for the username/password binding i am using my own user credential to bind to the server.

我想知道是否有一种使用服务器凭据进行绑定的方法.

I would like to know if there is a way to bind using the servers credentials.

我在装有IIS的服务器和具有AD的服务器(两个不同的VM)上，在Windows Server 2008 R2上使用PHP 5.3 + IIS进行设置.

I am setup using PHP 5.3 + IIS on windows server 2008 R2 for both the server with IIS and the one that has AD.(two different VM).

我也知道IIS有一个名为IISStackOverflow的AD帐户，但我不知道密码，即使它有密码...

I also know that IIS has a AD account named IISStackOverflow but I don't know the password or even if it has a password...

谢谢！

哦！我尝试将$username更改为IISStackOverflow，将$password更改为''

Oh! I tried changing $username to IISStackOverflow and $password to ''

但是它给出了无效的凭证错误.

But it gave invalid credential error.

-编辑-

我是否必须要做绑定部分? (如果我只读取数据)

Do I have to do the binding part at all? (If I am only reading data)

推荐答案

从服务器本身运行它时，只要阅读一下，我就会尝试使用:

As you run it from server itself, and you just want to read I would try to use :

...
if(ldap_bind($ldap))
...

根据 PHP文档，如果未指定bind_rdn和bind_password，尝试进行匿名绑定.

According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.

然后，如果您的匿名登录被拒绝(不应该这样，因为在服务器上的IIS下运行，您的代码至少是作为域用户执行的)，您将在其中找到

Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.

这篇关于PHP LDAP使用服务器的用户帐户绑定AD的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！