PHP - ldap_search() 过滤器。如何搜索用户
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2927291/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP - ldap_search() filter. How to search for user
提问by horgen
$_SERVER['REMOTE_USER'] returns the username of the user logged in to an Active Directory. I want to retrive this users info by using ldap_search().
$_SERVER['REMOTE_USER'] 返回登录到 Active Directory 的用户的用户名。我想通过使用 ldap_search() 来检索此用户信息。
This is what I have now:
这就是我现在所拥有的:
$ad = // ldap_connection id
$filter = "(|(sn=$username*)(givenname=$username*))";
$attr = array("displayname", "mail", "mobile", "homephone", "telephonenumber", "streetaddress", "postalcode", "physicaldeliveryofficename", "l");
$dn = // OU, DC etc..
ldap_search($ad,$dn,$filter,$attr);
It works, but i'm not sure it will work if two users have almost the same names. How do I only search for their unique username so that i always only get one user?
它有效,但如果两个用户的名字几乎相同,我不确定它是否有效。我如何只搜索他们的唯一用户名,以便我始终只能获得一个用户?
回答by Stefan Gehrig
sAMAccountNameis the username-attribute used in Active Directory, so (&(objectClass=user)(sAMAccountName=%s))would be the correct filter to check the LDAP for a given username (with %sbeing replaced by the actual username naturally).
sAMAccountName是 Active Directory 中使用的用户名属性,因此(&(objectClass=user)(sAMAccountName=%s))是检查给定用户名的 LDAP 的正确过滤器(%s自然会被实际用户名替换)。
Please be aware that you need to handle special characters in $usernameto avoid malformed filters or at worst malicious LDAP injections (see RFC 2254):
请注意,您需要处理特殊字符$username以避免格式错误的过滤器或最坏的恶意 LDAP 注入(请参阅RFC 2254):
Any control characters with an ACII code < 32 as well as the characters with special meaning in LDAP filters "*", "(", ")", and "\" (the backslash) are converted into the representation of a backslash followed by two hex digits representing the hexadecimal value of the character.
ACII 代码 < 32 的任何控制字符以及 LDAP 过滤器中具有特殊含义的字符“*”、“(”、“)”和“\”(反斜杠)都将转换为反斜杠后跟的表示形式代表字符的十六进制值的两个十六进制数字。
回答by Serty Oan
ldap_search()will find all matching entries, you will have to verify the result.
Let's say $linkis your link to the LDAP database created with ldap_connect()ldap_get_entries($link, $result)
You can verify that like this :
ldap_search()将找到所有匹配的条目,您必须验证结果。假设$link您使用ldap_connect()ldap_get_entries($link, $result)创建的 LDAP 数据库链接您可以像这样验证:
$result = ldap_search();
if(ldap_count_entries($link, $result) === 1) {
...
}
or
或者
$result = ldap_search();
$entries = ldap_get_entries($link, $result);
if(sizeof($entries) === 1) {
...
}
回答by Steve Lloyd
ldap_search supports both and & and or |. If you want to search multiple attributes for the occurrence of your search string you can do it as follows. This will search for a person where your search string ($str) in in samaccountname or name or title.
ldap_search 支持 and & 和 or |。如果要搜索多个属性以查找搜索字符串的出现,您可以按如下方式进行。这将在 samaccountname 或姓名或职位中搜索您的搜索字符串 ($str) 所在的人。
$filter="(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=*{$str}*)(name=*{$str}*)(title=*{$str}*)))";
$result=ldap_search($connection, $dn, $filter);
