从某一个组的LDAP活动目录验证用户 [英] Authenticating users from a certain group ldap active directory

问题描述

我想只有一个（教师）组用户能够访问某个网页上我的网站。

本页面只是为了通过教师待观察。

在Active Directory中，我们称之为教师一组

下面是code片断我不得不通过LDAP / Active Directory来验证用户身份，但我只想authenicate用户是教师组内的。

  $ LDAP = ldap_connect（ldap.domain.com）
如果（$绑定=的ldap_bind（$ LDAP，$ _ POST ['用户名']，$ _ POST ['密码']））{
  //登录他们！
} 其他 {
  // 错误信息
}
 

解决方案

公元商店上组的成员列表，而不是组成员的用户，所以你必须获取CN =教师，OU =不管，DC = ACME ，DC = COM对象成员列表，看看这个用户列。如果是这样，那就让他们尝试和绑定，而如果它成功继续。

我测试对于组成员测试绑定之前，由于绑定通常比一个查询更昂贵。

I want only a (faculty) group of users to be able to access a certain web page on my website.

This page is only meant to be seen by faculty.

Within active directory, we have a group called "faculty"

Here is a snippet of code I have to authenticate users via ldap/active directory, but I want to only authenicate users that are within the faculty group.

$ldap = ldap_connect("ldap.domain.com")
if($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}

解决方案

AD stores the Member list on Groups, not the Group Membership on users, so you would have to retrieve the cn=faculty,ou=whatever,dc=acme,dc=com objects Member list, and see if this user is listed. If they are, then let them try and bind, which if it succeeds continue.

I would test for the group membership before testing the bind, since a bind is usually more expensive than a query.

这篇关于从某一个组的LDAP活动目录验证用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！