hor*_*gen 5 php ldap active-directory single-sign-on
正如您在下面看到的,当我对安全组进行LDAP搜索时,我没有收到任何用户信息.我想用来$_SERVER[remote_user]检查用户是否是该组的成员.我还想检索该用户的信息并用它更新sql数据库.这可能吗?
$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";
$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "username@mydomain.local", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);
print_r($entries);
返回此:
Array
(
[count] => 1
[0] => Array
(
[objectclass] => Array
(
[count] => 2
[0] => top
[1] => group
)
[0] => objectclass
[cn] => Array
(
[count] => 1
[0] => Intra
)
[1] => cn
[description] => Array
(
[count] => 1
[0] => Group for (LDAP) INTRANET server access
)
[2] => description
[member] => Array
(
[count] => 4
[0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
[1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
[2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
[3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
)
[3] => member
[distinguishedname] => Array
(
[count] => 1
[0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
[4] => distinguishedname
[instancetype] => Array
(
[count] => 1
[0] => 4
)
[5] => instancetype
[whencreated] => Array
(
[count] => 1
[0] => 20100711172407.0Z
)
[6] => whencreated
[whenchanged] => Array
(
[count] => 1
[0] => 20100712063949.0Z
)
[7] => whenchanged
[usncreated] => Array
(
[count] => 1
[0] => 17491499
)
[8] => usncreated
[usnchanged] => Array
(
[count] => 1
[0] => 17498823
)
[9] => usnchanged
[name] => Array
(
[count] => 1
[0] => Intra
)
[10] => name
[objectguid] => Array
(
[count] => 1
[0] =>
)
[11] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
[12] => objectsid
[samaccountname] => Array
(
[count] => 1
[0] => Intra
)
[13] => samaccountname
[samaccounttype] => Array
(
[count] => 1
[0] => 268435456
)
[14] => samaccounttype
[grouptype] => Array
(
[count] => 1
[0] => -2147483646
)
[15] => grouptype
[objectcategory] => Array
(
[count] => 1
[0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
)
[16] => objectcategory
[count] => 17
[dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
)
当我使用普通DN时,一切正常:
$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";
但AD专家告诉我这是一个很大的NO-NO,我应该使用安全组:
像这样查询 AD:
$dn = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr = ldap_search($ad, $dn, $filter);
请参阅有关 LDAP 搜索过滤器语法的 MSDN 文章,了解有关更复杂过滤器的信息。
请务必注意该页面下方的特殊字符部分。正确的解$group_DN在过滤字符串中使用之前必须经过转义机制!
始终尝试构建尽可能具体的过滤器。让 LDAP 服务器整理出您不需要的记录会更有效,而不是通过网络传输超出您需要的记录,然后在客户端上丢弃其中的一半记录。
| 归档时间: |
|
| 查看次数: |
7425 次 |
| 最近记录: |