php 如何通过php中的ldap获取活动目录的密码?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4942848/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get password of active directory by ldap in php?
提问by trankinhly
I have problem about password in Active Directory. I want to get password from "username" of user I tried function "ldap_search", but I do not find correctly attribute for password I tried as: password, userpassword, userPassword, unicodePwd, unicodepwd, but they are not correct.
我在 Active Directory 中遇到密码问题。我想从我尝试过函数“ldap_search”的用户的“用户名”中获取密码,但是我没有找到正确的密码属性我尝试过:密码、用户密码、用户密码、unicodePwd、unicodepwd,但它们不正确。
I look forward to helping of everyone Thanks for all :D trankinhly
我期待着帮助大家谢谢大家 :D trankinhly
回答by geoffc
Passwords in Active Directory are not retrievable. Nor are they in most directories. (eDirectory has a password policy, that if you bind as the specified user, then you can retrieve passwords via LDAP extensions)
Active Directory 中的密码不可检索。它们也不在大多数目录中。(eDirectory 有密码策略,如果您绑定为指定用户,则可以通过 LDAP 扩展检索密码)
Some directories might let you recover the hashed versions, but that is not that great either.
某些目录可能会让您恢复散列版本,但这也不是很好。
To be cross platform, it is better to try and bind with the values provided and either succeed or fail. Additionally, LDAP says a bind with a blank password is actually an anonymous bind, which will probably succeed, so you need to filter for that case.
要跨平台,最好尝试绑定提供的值,然后成功或失败。此外,LDAP 表示使用空白密码的绑定实际上是匿名绑定,这可能会成功,因此您需要针对这种情况进行过滤。
Once bound as the user, you could look at their group memberships (since usually they can see their own) or look at some other attribute, which if they can read it, means they have some level of rights. (I.e. Implement authorization as well as authentication).
一旦绑定为用户,您就可以查看他们的组成员身份(因为他们通常可以查看自己的成员身份)或查看其他一些属性,如果他们可以读取该属性,则意味着他们拥有某种级别的权限。(即实现授权和身份验证)。
回答by Amil Waduwawara
I just queried an Active Directory (using ldapsearchin Ubuntu 10.04) running on a MS-Windows Server 2003, and it seem only the following can be retrieved and note that the password is not there.
我刚刚查询了ldapsearch在 MS-Windows Server 2003 上运行的 Active Directory(在 Ubuntu 10.04 中使用),似乎只能检索到以下内容,并注意密码不存在。
givenName
distinguishedName
instanceType
whenCreated
whenChanged
displayName
uSNCreated
memberOf
uSNChanged
name
objectGUID
userAccountControl
badPwdCount
codePage
countryCode
badPasswordTime
lastLogoff
lastLogon
pwdLastSet
primaryGroupID
objectSid
accountExpires
logonCount
sAMAccountName
sAMAccountType
userPrincipalName
You may also refer:
你也可以参考:
回答by kalyan
AD does not store the password in plain text. The password hash is stored in unicodePwd. This attribute can be only retrieved using ldapi interface. The regular ldap_search will not return anything.
AD 不会以纯文本形式存储密码。密码哈希存储在 unicodePwd 中。此属性只能使用 ldapi 接口检索。常规 ldap_search 不会返回任何内容。
