通过 PHP 进行 Active Directory 查找
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1721083/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Active Directory Lookup via PHP
提问by SamWM
How can you do an Active Directory lookup via PHP? Without needing to recompile PHP. PHP version is 5.3
如何通过 PHP 进行 Active Directory 查找?无需重新编译PHP。PHP 版本是 5.3
I want to find a persons display name from their user name. Web server is IIS 6 and PHP is served using FastCGI.
我想从他们的用户名中找到一个人的显示名称。Web 服务器是 IIS 6,PHP 使用 FastCGI 提供服务。
I get the username with:
我得到用户名:
$cred = explode('\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
return $user;
So how can I then find the name? e.g. DoeJ = John Doe
那么我怎样才能找到这个名字呢?例如 DoeJ = John Doe
Edit:
编辑:
Trying to lookup user, but not sure how to find the "base DN". Don't have direct access to the Active Directory server or have admin rights, so connecting anonymously.
试图查找用户,但不确定如何找到“基本 DN”。不能直接访问 Active Directory 服务器或具有管理员权限,因此匿名连接。
<?php
//using ldap bind anonymously
// connect to ldap server
$ldapconn = ldap_connect("example.co.uk")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding anonymously
$ldapbind = ldap_bind($ldapconn);
if ($ldapbind) {
echo "LDAP bind anonymous successful...";
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);
$dn = "CN=Users"; // also tried DC=example,DC=co,DC=uk
$filter="(SAMAccountName=username)";
$justthese = array("ou", "sn", "givenname", "mail");
$sr=ldap_search($ldapconn, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
echo $info["count"]." entries returned\n";
} else {
echo "LDAP bind anonymous failed...";
}
}
?>
Fails on the ldap_search: Warning: ldap_search() [function.ldap-search]: Search: Operations error
ldap_search 失败:警告:ldap_search() [function.ldap-search]:搜索:操作错误
回答by Stefan Gehrig
OK - first of all, you need the ext/ldapto communicate with your Active Directory server via the LDAP interface. Obviously this requirement is met with your PHP installation (otherwise you'd get errors about undefined functions).
好的 - 首先,您需要ext/ldap通过 LDAP 接口与您的 Active Directory 服务器进行通信。显然,您的 PHP 安装满足了此要求(否则您会收到有关未定义函数的错误)。
The question now is: what Windows server are you coding against? From Windows Server 2003 onwards anonymous binds are disabled by default, which means that you cannot search the Active Directory tree without authenticating with an existing and authorized user first. (To enable anonymous binds please see here- but as you don't have any admin rights, you won't be able to change this)
现在的问题是:您针对什么 Windows 服务器进行编码?从 Windows Server 2003 开始,默认情况下禁用匿名绑定,这意味着您不能在没有首先与现有和授权用户进行身份验证的情况下搜索 Active Directory 树。(要启用匿名绑定,请参阅此处- 但由于您没有任何管理员权限,您将无法更改此设置)
The second problem is your base DNwhich actually is the location within your LDAP tree from which on a search operation will be executed. The normale base DN for the users' container should be CN=Users,DC=yourdomain,DC=yourtopleveldomain, which is for example CN=Users,DC=example,DC=local.
第二个问题是您的基本 DN,它实际上是 LDAP 树中将执行搜索操作的位置。用户容器的正常基本 DN 应该是CN=Users,DC=yourdomain,DC=yourtopleveldomain,例如CN=Users,DC=example,DC=local。
The filter you're using is correct actually: (SAMAccountName=username)will find the account entry for user username. To use your username variable you can do:
您使用的过滤器实际上是正确的:(SAMAccountName=username)将找到 user 的帐户条目username。要使用您的用户名变量,您可以执行以下操作:
$filter = sprintf('(SAMAccountName=%s)', $user);
The general code flow, though, seems to be correct, too.
不过,一般的代码流程似乎也是正确的。
To summarize: you'll have to check first if your Active Directory allows anonymous binds and then you'll have to adjust your search's base DN. If no anonymous binds are allowed you'll have to use a user that is authorized to bind to the Active Directory.
总而言之:您必须首先检查您的 Active Directory 是否允许匿名绑定,然后您必须调整搜索的基本 DN。如果不允许匿名绑定,则必须使用有权绑定到 Active Directory 的用户。
回答by Edakos
The fisrt parameter of ldap_get_entriesfunction is incorrect:
ldap_get_entries函数的第一个参数不正确:
$info = ldap_get_entries($ldapconn, $sr);
Tested in this way and your code works now.
以这种方式进行测试,您的代码现在可以工作了。
回答by ólafur Waage
PHP has a LDAP librarywhich you can use to query an active directory. It's not enabled by defaultthough.
PHP 有一个LDAP 库,您可以使用它来查询活动目录。但是默认情况下它没有启用。
If you can use it, you can look at ldap_search()
能用的话可以看ldap_search()
回答by Ramuns Usovs
Since you're using IIS than that means that you are running php on windows, that in turn means that you can enable the LDAP extensionwithout recompiling php. That should solve most of your problems.
由于您使用的是 IIS,这意味着您在 Windows 上运行 php,这反过来意味着您可以启用LDAP 扩展而无需重新编译 php。这应该可以解决您的大部分问题。
