如何在LDAP PHP中过滤用户 [英] How to filter user in LDAP PHP
问题描述
我正在使用LDAP登录系统.目前,我可以使用AD帐户登录系统.问题是,我的系统有两种类型的用户. (管理员可以读写,而另一个是普通用户,只能读取).如何在这两个用户之间进行过滤,以便在管理员登录时将其带到其HomeScreen.php,将普通用户带到HomeScreen2.php.
I am using LDAP to login into the system. Currently, I can login to the system using AD account. The problem is, my system have two type of user. (Admin can read and write while the other one is Normal User which only can read). How to filter between these two user so that when Admin login, they will be brought to their HomeScreen.php and Normal User will be brought to HomeScreen2.php.
这是我到目前为止编写的LDAP编码(不包括登录表单):
This is the coding for LDAP I've made so far (does not include the login form) :
set_time_limit(30);
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);
///config
$ldapserver = "server.name";
$ldapport = 389;
$base_dn = "DC=xyz,DC=local";
$ldapuser = isset($_POST['username']) ? $_POST['username'] : '';
$ldappass = isset($_POST['password']) ? $_POST['password'] : '';
$ldaptree = "CN=ITInfra,OU=Groups,OU=MYABC,DC=xyz,DC=local";
$domain = '@abcd.local';
// connect
$ldapconn = ldap_connect($ldapserver,$ldapport) or die ("Could not connect to LDAP
server.");
// Set some ldap options for talking to
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
if ($ldapconn) {
// binding to ldap server
//$ldapbind = @ldap_bind($ldapconn, $ldapuser.$domain, $ldappass) or die ("<b>
<center><font color='red'>WARNING! : ".ldap_error($ldapconn));
$ldapbind = @ldap_bind($ldapconn, $ldapuser.$domain, $ldappass) or
die("<b><center><font color='red'>WARNING!<br> The username or password you entered is
incorrect");
// verify binding
if ($ldapbind) {
$result = @ldap_search($ldapconn,$ldaptree, "(ou=*)") or die ("<b>
<center><font color='red'>Please enter username & password");
echo "<b><center><font color='blue'> Congratulations! $ldapuser is
authenticated.\n";
header('Location: HomeScreen.php');
} else {
echo "LDAP bind failed...\n";
}
}
// all done? clean up
ldap_close($ldapconn);
推荐答案
客户端成功绑定后,服务器已向客户端指示用户名及其关联的密码正确-服务器能够验证密码是否匹配BIND请求中提供了什么.这就是所有发生的事情.如果BIND不成功,则用户名和/或密码不正确.此时,LDAP对象之间没有区别.
When the client successfully BINDs, the server has indicated to the client that the username and its associated password are correct - the server is able to verify that the password matches what was supplied in the BIND request. That is all that happens. If the BIND is unsuccessful, then the username and/or password is not correct. There is no distinction between LDAP objects at this point.
所需要的是客户端确定username类型的一种方法.至少有两种合理的方法可以做到这一点:
What is needed is a way for the client to determine of what type username is. There are at least two reasonable ways to do this:
- LDAP对象具有指示哪种用户类型的属性.
- LDAP对象是组的成员(在这种情况下,是admin或normal).
组方法比属性方法更灵活,因为可以简单地将新的普通"用户或新的管理员"用户添加到适当的组中.
The group method is more flexible than the attribute method, since new "normal" users or new "admin" users can simply be added to the appropriate group.
例如,一个管理员组:
cn=admin users,ou=groups,o=example.com
objectClass: groupOfNames
member: cn=admin user 1,ou=groups,o=example.com
member: cn=admin user 2,ou=groups,o=example.com
或普通用户组:
cn=normal users,ou=people,o=example.com
objectClass: groupOfNames
member: cn=normal user 1,ou=groups,o=example.com
member: cn=normal user 2,ou=groups,o=example.com
member: cn=normal user 3,ou=groups,o=example.com
客户端可以通过使用适当的搜索请求参数进行搜索来确定username属于哪个组.如果username属于管理组,则显示homescreen.php否则homescreen2.php.
The client can determine to which group the username by searching using the appropriate search request parameters. If the username belongs to an admin group, then display homescreen.php else homescreen2.php.
这是两种可能性.可能还有其他方法,具体取决于您的设置和服务器的类型(尽管LDAP客户端绝不能像知道它们所连接的服务器类型那样编写).
These are two possibilities. There may be other ways, depending on your setup and the type of server (although LDAP clients must never be written as if they know what type of server they are connected to).
- LDAP: Mastering Search Filters
- LDAP: Search best practices
- LDAP: Programming practices
这篇关于如何在LDAP PHP中过滤用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
