使用LDAP函数来获取的Active Directory tokenGroups在PHP属性 [英] Using LDAP functions to get Active Directory tokenGroups attribute in PHP
问题描述
问候,
我已经有一个工作连接到AD并可以搜索并从中检索信息。我还开发了一个递归方法,通过它可以获取所有组给定用户。不过,我想如果可能的话,避免递归。这样做的一种方式是让tokenGroups从AD对于用户来说,这应该是的SID指定的用户作为成员的组的列表属性,即籍是否是直接的或间接的。
I already have a working connection to the AD and can search and retrieve information from it. I've even developed a recursive method by which one can retrieve all groups for a given user. However, I'd like to avoid the recursion if possible. One way to do this is to get the tokenGroups attribute from the AD for the user, which should be a list of the SIDs for the groups that the specified user has membership, whether that membership be direct or indirect.
当我运行一个搜索用户的广告信息,虽然,tokenGroups属性甚至没有在里面。我试图明确要求的信息(即,将其指定使用第四个参数 ldap_search ),但没有工作,要么。
When I run a search for a user's AD information, though, the tokenGroups attribute isn't even in it. I tried specifically requesting that information (i.e., specifying it using the fourth parameter to ldap_search) but that didn't work, either.
谢谢, 大卫·基斯
推荐答案
解决我自己的问题,我想我会把答案在这里,以便其他人可能会发现它。问题是使用ldap_search()函数。答案是使用ldap_search的ldap_read()函数,而不是()。所不同的是该请求的范围。搜索功能使用子(即子树),而读函数使用的范围的基础。使用基地的范围时,所以使用了正确的PHP函数是关键的tokenGroups信息只能被发现。
Solved my own problem and thought I'd put the answer here so that others might find it. The issue was using the ldap_search() function. The answer was to use the ldap_read() function instead of ldap_search(). The difference is the scope of the request. The search function uses a scope of "sub" (i.e., subtree) while the read function uses "base." The tokenGroups information can only be found when using a scope of "base" so using the correct PHP function was the key.
正如我上面提到的,我是从别人code工作在Perl创建我的解决方案和perl脚本中使用了一个名为搜索功能来做到这一点的LDAP请求,从而导致我下错了路。
As I mentioned above, I was working from someone else code in perl to create my solution and the perl script used a function named "search" to do it's LDAP requests which lead me down wrong path.
感谢那些谁采取了偷看的问题!
Thanks to those who took a peek at the question!
-
按照注释中的要求,这里是在code解决方案的基础。我是从我使用所以这可能不是100%的对象提取,但它会关闭。另外,在此就不声明的变量剪断(如$服务器,$用户,$密码)是你要弄清楚;我不知道你的AD凭据呢!
As per the requests in the comments, here's the basics of the solution in code. I'm extracting from an object that I use so this might not be 100% but it'll be close. Also, variables not declared in this snipped (e.g. $server, $user, $password) are for you to figure out; I won't know your AD credentials anyway!
$ldap = ldap_connect($server);
ldap_bind($ldap, $user, $password);
$tokengroups = ldap_read($ldap, $dn, "CN=*", array("tokengroups")));
$tokengroups = ldap_get_entries($ldap, $tokengroups);
在这一点上,<code> $ tokengroups 是我们作为一个数组的结果。它应具有计数索引以及一些其他信息。要提取实际的群体,你需要做的是这样的:
At this point, $tokengroups is our results as an array. it should have count index as well as some other information. To extract the actual groups, you'll need to do something like this:
$groups = array();
if($tokengroups["count"] > 0) {
$groups = $tokengroups[0]["tokengroups];
unset($groups["count"]);
// if you want the SID's for your groups, you can stop here.
// if you want to decode the SID's then you can do something like this.
// the sid_decode() here: http://www.php.net/manual/en/function.unpack.php#72591
foreach($groups as $i => &$sid) {
$sid = sid_decode($sid);
$sid_dn = ldap_read($ldap, "<SID=$sid>", "CN=*", array("dn"));
if($sid_dn !== false) {
$group = ldap_get_entries($ldap, $sid_dn);
$group = $group["count"] == 1 ? $group[0]["dn"] : NULL;
$groups[$i] = $group;
}
}
}
这是基础。有一点需要注意:你可能需要的个人或谁在您的组织管理AD帐户个人使用。我第一次试图让这个运行(几年前,所以我的记忆有些模糊),我是给不具有相应的权限来访问令牌组信息的帐户。我敢肯定还有其他的方法可以做到这一点,但因为我是为这个特定的解决方案移植别人的code,这是我如何做的。
That's the basics. There's one caveat: you'll probably need to work with the individual or individuals who manage AD accounts at your organization. The first time I tried to get this running (a few years ago, so my memory is somewhat fuzzy) the account that I was given did not have the appropriate authorization to access the token groups information. I'm sure there are other ways to do this, but because I was porting someone else's code for this specific solution, this was how I did it.
这篇关于使用LDAP函数来获取的Active Directory tokenGroups在PHP属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
