LDAP DN搜索成员 [英] LDAP DN search memberof
问题描述
当前,我正在尝试确定用户是否应该能够使用LDAP登录.我已经阅读了许多用PHP编写的LDAP连接,到目前为止,一切都进展顺利,直到我想搜索用户是否属于某个组为止.
Currently I'm trying to determine if a user should be able to login using LDAP. I've read up on many LDAP connections written in PHP and so far things were on track until I wanted to search if a user was part of a certain group.
我当前必须连接到LDAP服务器的详细信息:
- DN:CN = PAY LDAP用户,OU =付费,OU =应用程序,OU = IT 特价,DC = domain,DC = be
- SAM:管理员
- 密码:密码
- 搜索DN ADM:OU = OU GROUP,OU = AD,DC = domain,DC = be
- LDAP/GC服务器:knt-adm-dc1.domain.be,knt-adm-dc2.domain.be
- DN: CN=PAY LDAP user,OU=pay,OU=Applications,OU=IT Specials,DC=domain,DC=be
- SAM: admin
- PWD: password
- Search DN ADM: OU=OU GROUP,OU=AD,DC=domain,DC=be
- LDAP / GC server: knt-adm-dc1.domain.be, knt-adm-dc2.domain.be
此代码虽然没有返回任何结果:
This code though doesn't return me any results:
if($bind = ldap_bind($ldap, $username, $password)) {
$filter = "(samaccountname=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
}
当我从搜索中删除$ attr时,虽然没有找到确定此用户是否属于ADMIN组的方法,但我确实得到了结果.
When I leave out the $attr from the search I do get a result though I can't seem to find a way to determine of this user is part of the ADMIN group.
从我可以在线阅读的内容来看,应该使用memberof属性来确定用户是否属于组.
From what I could read online the memberof attribute should be used to find if a user is part of a group though.
推荐答案
几件事:
- 如果用户不是任何组的成员,则
memberOf
属性将不存在. - 建筑物组未显示在
memberOf
属性中.
- If a user is not a member of any groups, the
memberOf
attribute will not exist. - Builtin groups do not show up in the
memberOf
attribute.
一种更可靠的方法是使用有点模糊的LDAP过滤器为用户搜索您的组以及任何嵌套的组:LDAP_MATCHING_RULE_IN_CHAIN规则.详细信息此处.
A more failure-proof method is to use a somewhat obscure LDAP filter to search your group, and any nested groups, for a user: the LDAP_MATCHING_RULE_IN_CHAIN rule. Details here.
在PHP中,它看起来像这样(未经测试):
In PHP, it would look something like this (untested):
$filter = "(member:1.2.840.113556.1.4.1941:=".$user_distinguished_name.")";
$ldap_dn = "LDAP://".$group_distinguished_name;
$attr = array("cn");
$result = ldap_list($ldap, $ldap_dn, $filter, $attr);
其中$user_distinguished_name
是用户的专有名称,$group_distinguished_name
是组的DN.您可能需要事先获得这些.
Where $user_distinguished_name
is the distinguished name of the user, and $group_distinguished_name
is the DN of the group. You may have to get those beforehand.
请注意,我将 ldap_list 而不是 ldap_search .两者之间的唯一区别是搜索范围.我认为ldap_search可能仍然有效,但这不是必需的.
Note I'm put ldap_list instead of ldap_search. The only difference between the two is the scope of the search. I think ldap_search might still work, but it's not needed.
这篇关于LDAP DN搜索成员的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!