PHP LDAP:如何搜索用户是否在组中?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13487127/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP LDAP: How to search if user is in group?
提问by beginner_
How can i check if a user is part of a group using php_ldap module?
如何使用 php_ldap 模块检查用户是否属于组的一部分?
I'm completely new to ldap and hence a bit confused...
我对 ldap 完全陌生,因此有点困惑......
With googling I've come up with this so far:
到目前为止,通过谷歌搜索,我想出了这个:
$ds=ldap_connect($ldapHost, $ldapPort);
if ($ds) {
$r=ldap_bind($ds, $ldapRdn, $ldapPassword);
$filter = "(sAMAccountName=" . $uid . ")";
$attr = array("memberof");
$result = ldap_search($ds, $ldapDN, $filter, $attr) or exit("Unable to search LDAP server");
I'm not sure if this is correct as it was taken form soemthign specific for AD. The problem seem to be $ldapDN. This is what i search for right? My groups "definition" is:
我不确定这是否正确,因为它是特定于 AD 的 soemthign。问题似乎是 $ldapDN。这就是我要找的吗?我的组“定义”是:
cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM
How can I do this check?
我怎样才能做这个检查?
EDIT:
编辑:
Here is my solution found with help of "Accepted Answer" and trial & error". I think the answer depends greatly on your specific system.
这是我在“接受的答案”和试错法的帮助下找到的解决方案。我认为答案在很大程度上取决于您的特定系统。
//This is the User group DN
$ldapDN = "cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM";
$filter = "(uniqueMember=uid=" . $uid . ",ou=Users,O=MYCOMPANY.COM)";
$attr = array('uniqueMember');
$result = ldap_search($ldapConnection, $ldapDN, $filter, $attr):
$entries = ldap_get_entries($ldapConnection, $result);
ldap_unbind($ldapConnection);
return intval($entries["count"]) > 0;
采纳答案by dearlbry
Membership information is usually stored in the group - in the form of the 'member' or 'memberUid' attribute. 'member' represents the full DN (distinguished name) of the member object, and would look something like 'uid=username,ou=users,dc=example,dc=com'. In the case of memberUid, the value would simply be 'username'.
成员信息通常存储在组中 - 以“member”或“memberUid”属性的形式。'member' 表示成员对象的完整 DN(专有名称),看起来类似于 'uid=username,ou=users,dc=example,dc=com'。在 memberUid 的情况下,值将只是“用户名”。
The way to figure out which is being used in your directory is to analyze a group using something like Apache Directory Studio.
确定您的目录中正在使用哪个的方法是使用Apache Directory Studio 之类的工具分析一个组。
In addition to the 'member' attribute, AD stores a memberOf attribute in the user'srecord which contains the DN of the group. But most directories don't do this, which is probably why your code isn't working.
除了“成员”属性之外,AD 还在用户记录中存储了一个 memberOf 属性,其中包含组的 DN。但是大多数目录不这样做,这可能是您的代码不起作用的原因。
What you're looking for is a filter like this:
您正在寻找的是这样的过滤器:
// & means "And" the next sibling items:
// so "find items that have the objectClass of group and a member whose DN is user_dn
(&(objectClass=group)(member=[user_dn]))
or
或者
(&(objectClass=group)(memberUid=[user_uid]))
So in your case
所以在你的情况下
$result = ldap_search(
$ds,
'dc=mycompany,dc=com', // The base from which to start your search. (could be an OU too, like 'ou=restricted,dc=mycompany,dc=com')
'(&(objectClass=group)(member=uid=tom,ou=users,dc=mycompany,dc=com))'
);
Or if your groups go by memberUid, you would change the filter to
或者,如果您的群组通过 memberUid,您可以将过滤器更改为
$filter = '(&(objectClass=group)(member=username))';
$result should then contain a list of group records that have 'username' as a member.
$result 然后应该包含一个以“用户名”为成员的组记录列表。
