如何使用LDAP和PHP检索FRA一个Active Directory安全组的用户信息 [英] How to retrieve user info fra a Active Directory Security Group using LDAP and PHP
问题描述
正如你可以看到下面我没有收到任何用户信息,当我做一个LDAP搜索到安全组。我想用$ _ SERVER [REMOTE_USER]检查,如果用户是该组的成员。我也想检索该用户的信息,并用它更新SQL数据库。这可能吗?
As you can see below I'm not getting any user info when I do a LDAP search to the security group. I want to use the $_SERVER[remote_user] to check if the user is a member of this group. I would also like to retrieve the info of this user and update the sql database with it. Is this possible?
$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";
$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "username@mydomain.local", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);
的print_r($项);返回这样的:
print_r($entries); returns this:
Array
(
[count] => 1
[0] => Array
(
[objectclass] => Array
(
[count] => 2
[0] => top
[1] => group
)
[0] => objectclass
[cn] => Array
(
[count] => 1
[0] => Intra
)
[1] => cn
[description] => Array
(
[count] => 1
[0] => Group for (LDAP) INTRANET server access
)
[2] => description
[member] => Array
(
[count] => 4
[0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
[1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
[2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
[3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
)
[3] => member
[distinguishedname] => Array
(
[count] => 1
[0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
[4] => distinguishedname
[instancetype] => Array
(
[count] => 1
[0] => 4
)
[5] => instancetype
[whencreated] => Array
(
[count] => 1
[0] => 20100711172407.0Z
)
[6] => whencreated
[whenchanged] => Array
(
[count] => 1
[0] => 20100712063949.0Z
)
[7] => whenchanged
[usncreated] => Array
(
[count] => 1
[0] => 17491499
)
[8] => usncreated
[usnchanged] => Array
(
[count] => 1
[0] => 17498823
)
[9] => usnchanged
[name] => Array
(
[count] => 1
[0] => Intra
)
[10] => name
[objectguid] => Array
(
[count] => 1
[0] =>
)
[11] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
[12] => objectsid
[samaccountname] => Array
(
[count] => 1
[0] => Intra
)
[13] => samaccountname
[samaccounttype] => Array
(
[count] => 1
[0] => 268435456
)
[14] => samaccounttype
[grouptype] => Array
(
[count] => 1
[0] => -2147483646
)
[15] => grouptype
[objectcategory] => Array
(
[count] => 1
[0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
)
[16] => objectcategory
[count] => 17
[dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
)
一切工作正常,当我用正常的DN:
Everything worked fine when I used the normal DN:
$ DN =OU =启用邮件的用户,OU =卑尔根,DC = MYDOMAIN,DC =本地;
$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";
但是,一个AD专家告诉我,这是一个很大的禁忌,我应该使用安全组来代替:\
But a AD expert told me this was a big NO-NO and that I should use Security Groups instead :\
推荐答案
查询AD是这样的:
$dn = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr = ldap_search($ad, $dn, $filter);
有一个看有关LDAP MSDN文章搜索过滤器语法以更复杂的过滤器信息。
Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.
请务必注意特殊字符部分下的页面上。正确的解决方案必须通过 $ group_DN 通过逃逸机制,在过滤器字符串中使用它之前!
Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN through an escaping mechanism before using it in the filter string!
总是试图建立过滤器尽可能具体。这是更有效,让LDAP服务器理清你不想记录,而不必通过传输线路更多的记录,比你需要扔掉其中一半的客户端。
Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.
这篇关于如何使用LDAP和PHP检索FRA一个Active Directory安全组的用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
