通过PHP Active Directory查找 [英] Active Directory Lookup via PHP

问题描述

你怎么能做到通过PHP Active Directory查找？而无需重新编译PHP。 PHP版本是5.3

How can you do an Active Directory lookup via PHP? Without needing to recompile PHP. PHP version is 5.3

我想找到一个人从自己的用户名显示名。 Web服务器是IIS 6和PHP的使用FastCGI服务。

I want to find a persons display name from their user name. Web server is IIS 6 and PHP is served using FastCGI.

我得到的用户名：

$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
return $user;

所以，我怎样才能再找到名字？例如DoeJ =李四

So how can I then find the name? e.g. DoeJ = John Doe

编辑：

试图查找用户，但不知道如何找到基本DN。不要直接访问Active Directory服务器或具有管理员权限，因此与匿名的。

Trying to lookup user, but not sure how to find the "base DN". Don't have direct access to the Active Directory server or have admin rights, so connecting anonymously.

<?php

//using ldap bind anonymously

// connect to ldap server
$ldapconn = ldap_connect("example.co.uk")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding anonymously
    $ldapbind = ldap_bind($ldapconn);

    if ($ldapbind) {
        echo "LDAP bind anonymous successful...";

        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);

        $dn = "CN=Users"; // also tried DC=example,DC=co,DC=uk
        $filter="(SAMAccountName=username)";
        $justthese = array("ou", "sn", "givenname", "mail");

        $sr=ldap_search($ldapconn, $dn, $filter, $justthese);

        $info = ldap_get_entries($ds, $sr);

        echo $info["count"]." entries returned\n";

    } else {
        echo "LDAP bind anonymous failed...";
    }
}
?>

失败的ldap_search：警告：ldap_search（）[function.ldap搜索]：搜索：操作错误

Fails on the ldap_search: Warning: ldap_search() [function.ldap-search]: Search: Operations error

推荐答案

确定 - 首先，你需要的 转/ LDAP ，并通过LDAP接口，您的Active Directory服务器进行通信。显然，这要求满足你的PHP安装（否则你会得到有关未定义函数的错误）。

OK - first of all, you need the ext/ldap to communicate with your Active Directory server via the LDAP interface. Obviously this requirement is met with your PHP installation (otherwise you'd get errors about undefined functions).

现在的问题是：什么样的Windows服务器，你对编码？从Windows Server 2003开始匿名绑定的默认停用的，这意味着你不能搜索Active Directory树但不包括与现有的和授权的用户先进行身份验证。 （要启用匿名绑定，请参阅这里 - 但你没有任何管理权限，您将无法改变这一点）

The question now is: what Windows server are you coding against? From Windows Server 2003 onwards anonymous binds are disabled by default, which means that you cannot search the Active Directory tree without authenticating with an existing and authorized user first. (To enable anonymous binds please see here - but as you don't have any admin rights, you won't be able to change this)

第二个问题是你的基本DN 的这实际上是从一个搜索操作会被执行LDAP树中的位置。在师范学校基本DN用户的容器应 CN =用户​​，DC = YOURDOMAIN，DC = yourtopleveldomain ，这是例如 CN =用户​​， DC =例如，DC =本地。

The second problem is your base DN which actually is the location within your LDAP tree from which on a search operation will be executed. The normale base DN for the users' container should be CN=Users,DC=yourdomain,DC=yourtopleveldomain, which is for example CN=Users,DC=example,DC=local.

您正在使用的过滤器是正确的实际：（SAM帐户名=用户名）将找到用户的帐户条目的用户名。使用您的用户名变量，你可以这样做：

The filter you're using is correct actually: (SAMAccountName=username) will find the account entry for user username. To use your username variable you can do:

$filter = sprintf('(SAMAccountName=%s)', $user);

一般code流，不过，似乎是正确的，太。

The general code flow, though, seems to be correct, too.

要总结：你必须首先要检查你的活动目录允许匿名绑定，然后你必须调整你的搜索的基本DN。如果没有允许匿名绑定，你将不得不使用被授权绑定到Active Directory用户。

To summarize: you'll have to check first if your Active Directory allows anonymous binds and then you'll have to adjust your search's base DN. If no anonymous binds are allowed you'll have to use a user that is authorized to bind to the Active Directory.

这篇关于通过PHP Active Directory查找的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！