我如何禁止匿名LDAP登录? [英] How do I disallow anonymous ldap login?
问题描述
我有以下内容:
class LDAPConnection {
private $ldapServers = array(
"ldap://serv1", "ldap://serv2"
);
private $ldapUsername = "DOMAIN\\%s";
function login($username, $password) {
$user = sprintf($this->ldapUsername, $username);
// Make sure password is not empty (http://stackoverflow.com/a/172042/561731)
if(!empty($password)) {
foreach($this->ldapServers as $server) {
try {
$ldap = \ldap_connect($server);
\ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if($bind = \ldap_bind($ldap, $user, $password)) {
// log them in
return true;
}
}
catch(\ErrorException $e) {
// do nothing
}
}
}
return false;
}
}
正如你可以看到我首先要确保的 $密码
不是空的话,我尝试LDAP连接,因为如果我不这样做,那么LDAP假设我想做一个匿名连接并返回真正
。
As you can see I first make sure that the $password
is not empty then I attempt the ldap connection, because if I do not do that, then ldap assumes that I want to do an anonymous connection and returns true
.
我如何prevent是什么?是我唯一的选择像我上面那样,我必须检查确保,密码是不是空的?还是有更好的办法?
How do I prevent that? Is my only option like I did above and I have to check to make sure that the password isn't empty? Or is there a better way?
推荐答案
禁用匿名登录不应该在你的应用层来完成。它应该在实际的LDAP服务器本身来完成。
Disabling anonymous login shouldn't be done at your application layer. It should be done at the actual LDAP server itself.
在你的应用程序层禁止匿名登录我看起来像一个创可贴,因为任何人都可以随时使用任何LDAP客户端,如果匿名登录的服务器本身上启用登录到您的LDAP服务器。
Prohibiting anonymous login at your application layer to me seems like a band-aid because anyone can always use any LDAP client to log into your LDAP server if anonymous login is enabled on the server itself.
这篇关于我如何禁止匿名LDAP登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!