[英]unable to locate windows AD group for user using ldap_search in php
I can successfully connect and bind to ldap in windows AD using php. 我可以使用php成功连接并绑定到Windows AD中的ldap。 However, I'm not getting the results I expect from ldap_search.
但是,我没有从ldap_search获得预期的结果。 I know my test user is in Intranet_Group123 but either ldap_search isn't finding the group, or I don't know how to correctly parse the result array.
我知道我的测试用户位于Intranet_Group123中,但是ldap_search找不到组,或者我不知道如何正确解析结果数组。 I know the distinguished name of the group: CN=Intranet_Group123,OU=PD,OU=Intranet,OU=Apps,OU=Groups,DC=mydomain,DC=com
我知道该组的专有名称:CN = Intranet_Group123,OU = PD,OU = Intranet,OU = Apps,OU = Groups,DC = mydomain,DC = com
Here's the code I'm using (based on blog here: blog here ). 这是我正在使用的代码(基于此处的博客 : 此处的博客 )。
$user = 'testuser';
$password = 'test';
$ldap_host = "myServer";
// Active Directory DN (I have also tried having CN=Intranet_Group123 at the beginning of the string)
$ldap_dn = "OU=PD,OU=Intranet,OU=Apps,OU=Groups,DC=mydomain,DC=com";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@mydomain.com";
// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
var_dump($bind); // bool•true
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
var_dump($result); //resource(8) of type (ldap result)
$entries = ldap_get_entries($ldap, $result);
var_dump($entries); // array(1) {'count' → int 0}
You are searching groups container with a filter (sAMAccountName=username)
. 您正在使用过滤器
(sAMAccountName=username)
搜索“组”容器。 This is not going to produce you any meaningful results because there is no user entry in groups container, as your var_dump($entries) shows -- // array(1) {'count' -> int 0}
just gives you a hint that no entries were found. 这不会给您带来任何有意义的结果,因为在组容器中没有用户输入,如您的
var_dump($entries) shows -- // array(1) {'count' -> int 0}
只是给您一个提示没有找到条目。
Instead, turn your query to a root search (dc=mydomain,dc=com)
and search with more complex filter. 而是将查询转到根搜索
(dc=mydomain,dc=com)
并使用更复杂的过滤器进行搜索。 You need to find a user that has particular sAMAccountName
and memberof
attribute pointing to the proper group DN. 您需要找到一个具有特定
sAMAccountName
和 memberof
属性的用户,这些用户指向正确的组DN。 Note that memberof
attribute accepts DN, not a group name. 请注意,
memberof
属性接受DN,而不接受组名。
The query filter then would look like this: 查询过滤器将如下所示:
"(&(objectclass=user)(sAMAccountName=".$user.")(memberof=".$ldap_dn."))"
and do search over $root_prefix
where $root_prefix = "dc=mydomain,dc=com"
with a subtree scope. 并搜索
$root_prefix
,其中$root_prefix = "dc=mydomain,dc=com"
带有子树范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.