我如何禁止匿名LDAP登录？ [英] How do I disallow anonymous ldap login?

问题描述

我有以下内容：

class LDAPConnection {

    private $ldapServers = array(
        "ldap://serv1", "ldap://serv2"
    );
    private $ldapUsername = "DOMAIN\\%s";

    function login($username, $password)    {
        $user = sprintf($this->ldapUsername, $username);
        // Make sure password is not empty (http://stackoverflow.com/a/172042/561731)
        if(!empty($password))   {
            foreach($this->ldapServers as $server)  {
                try {
                    $ldap = \ldap_connect($server);
                    \ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
                    if($bind = \ldap_bind($ldap, $user, $password))  {
                        // log them in
                        return true;
                    }
                }
                catch(\ErrorException $e)   {
                    // do nothing
                }
            }
        }
        return false;
    }
}

正如你可以看到我首先要确保的 $密码不是空的话，我尝试LDAP连接，因为如果我不这样做，那么LDAP假设我想做一个匿名连接并返回真正。

As you can see I first make sure that the $password is not empty then I attempt the ldap connection, because if I do not do that, then ldap assumes that I want to do an anonymous connection and returns true.

我如何prevent是什么？是我唯一的选择像我上面那样，我必须检查确保，密码是不是空的？还是有更好的办法？

How do I prevent that? Is my only option like I did above and I have to check to make sure that the password isn't empty? Or is there a better way?

推荐答案

禁用匿名登录不应该在你的应用层来完成。它应该在实际的LDAP服务器本身来完成。

Disabling anonymous login shouldn't be done at your application layer. It should be done at the actual LDAP server itself.

在你的应用程序层禁止匿名登录我看起来像一个创可贴，因为任何人都可以随时使用任何LDAP客户端，如果匿名登录的服务器本身上启用登录到您的LDAP服务器。

Prohibiting anonymous login at your application layer to me seems like a band-aid because anyone can always use any LDAP client to log into your LDAP server if anonymous login is enabled on the server itself.

这篇关于我如何禁止匿名LDAP登录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！