LDAP 问题，ldap_bind 无效的 dn 语法 [英] LDAP issue, ldap_bind invalid dn syntax

问题描述

我知道我的错误会很简单，但我试图找到问题，但我没有看到它，也许你可以帮助我....

I know that my mistake is going to be something really simple but I have tried to find the problem and I do not see it, maybe you can help me....

我正在尝试使用 php 创建一个函数，以便能够连接到 LDAP 并找到所需的信息.

I am trying to create a function with php, so I can be able to connect to LDAP and find the desired information.

我的php代码如下:

$ldapconfig['host'] = "127.0.0.1";
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = "dc=example,dc=com";
$ldapconfig['binddn'] = "user";
$ldapconfig['bindpw'] = "password";


function ldap_authenticate($user, $pass) {
global $ldapconfig;
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); 
if ($user != "" && $pass != "") {
    $ds=ldap_connect($ldapconfig['host'],$ldapconfig['port']);
    if(!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
        return NULL;
    }
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    ldap_bind( $ds, $ldapconfig['binddn'], $ldapconfig['bindpw']);
    $r = ldap_search( $ds, $ldapconfig['basedn'], 'sAMAccountName=' . $user);
    if ($r) {
        $result = ldap_get_entries( $ds, $r);
        if ($result[0]) {
            if (ldap_bind( $ds, $result[0]['dn'], $pass) ) {
                return $result[0]['mail'][0];
            }
        }
    }
}
return NULL;

当我尝试运行代码时，它给了我以下错误:ldap_bind 第 xxxx 行的 DN 语法无效该行如下:

When I try to run the code it gives me the following mistake: ldap_bind invalid DN syntax on line xxxx and that line is the following:

ldap_bind( $ds, $ldapconfig['binddn'], $ldapconfig['bindpw']);

推荐答案

如错误中所述，您的绑定 DN 格式错误.DN 代表对象的完整路径 - 所以在你的情况下应该是这样的(看起来你在 AD 上?)

As stated in the error, your bind DN is the wrong format. DN's represent the full path to the object - so in your case should be something like this (looks like you're on AD?)

"cn=username,ou=域用户,dc=example,dc=com"

"cn=username,ou=domain users,dc=example,dc=com"

根据您的 LDAP(Active Directory、OpenLDAP 等)的风格，您可能能够使用 uid(所以只是用户名")进行绑定，但最好假设您总是需要完整的 DN.

Depending on your flavor of LDAP (Active Directory, OpenLDAP etc), you might be able to use a uid (so just 'username') to bind, but it's best to assume that you always need the full DN.

您可以使用诸如 Apache Directory Studio 之类的 LDAP 工具来帮助构建查询并找出对象的DN 是.或者也有 ldp.exe(前提是它是 AD)，但是 directory studio 更容易使用.

You can use an LDAP tool like Apache Directory Studio to help build queries and find out what object's DN's are. Or there's ldp.exe too (provided it's AD), but directory studio is easier to use.

这篇关于LDAP 问题，ldap_bind 无效的 dn 语法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！