PHP:如何锁定活动目录用户帐户?
[英]PHP : How to lock an active directory user account?
问题描述
i've a working script that allow me to unlock a user account (by setting lockouttime AD attribute to 0) something like this : 
我有一个工作脚本,允许我解锁用户帐户(通过将lockouttime AD属性设置为0)这样的事情:
$entry["lockouttime"][0]=0;
$mod=ldap_mod_replace($ds,$dn,$entry)
Now I'd like to do the opposite : lock the account. 现在我想做相反的事情:锁定帐户。 I've read that lockouttime is a system attribute and active directory will not allow us to set its value to something else that 0. 我已经读过lockouttime是一个系统属性,而active目录不允许我们将其值设置为0。
So i'm trying to bind to the server with the user account and a bad password, but this doesn't seem to work. 所以我试图用用户帐户和密码错误绑定到服务器,但这似乎不起作用。
for($i=0;$i<10;$i++){
ldap_bind($ds,$dn, "theWrongPasswd");
}
running this will show this error 运行此将显示此错误
Warning: ldap_bind(): Unable to bind to server: Invalid credentials
but the account is still unlock. 但该帐户仍然可以解锁。
Do you have any idea on how can i do this? 你知道我怎么能这样做吗? Thanks in advance. 提前致谢。
5 个解决方案
解决方案1
2 2014-01-17 04:12:19
LDAP bind attempts don't count as logon attempts. LDAP绑定尝试不计入登录尝试。 Using APIs like LogonUser and CreateProcessWithLogon generate logon attempts. 使用LogonUser和CreateProcessWithLogon等API生成登录尝试。
解决方案2
1 2014-05-07 10:56:23
Locking the user via the userAccountControl 's LOCKOUT Flag ( 0x0010 ) is not possible . 无法通过userAccountControl的LOCKOUT标志( 0x0010 )锁定用户。 This flag is related to the AD's password policy and will be set by the system if there are too many login attempts. 此标志与AD的密码策略相关,如果登录尝试次数过多, 将由系统设置。 I've tried it myself: After setting the flag and commiting the changes to the AD the changes, the value did not change - no Exception was thrown. 我自己尝试过:在设置了标志并将更改提交给AD之后,值没有改变 - 没有抛出异常。
Disabling an account will propably achieve the same thing you want to do. 禁用帐户将可以实现您想要做的同样的事情。 For this you will have to set the ACCOUNTDISABLE Flag ( 0x0002 ). 为此,您必须设置ACCOUNTDISABLE标志( 0x0002 )。
This is the list of all UAC flags: http://support.microsoft.com/kb/305144/en-us 这是所有UAC标志的列表: http : //support.microsoft.com/kb/305144/en-us
解决方案3
0 2014-01-15 12:13:26
Looking at http://support.microsoft.com/kb/305144 suggests that a normal account will have a value of 512 for their UAC. 查看http://support.microsoft.com/kb/305144表明普通帐户的UAC值为512。
LOCKOUT 0x0010 16 NORMAL_ACCOUNT 0x0200 512
I believe that setting it to 528 (lockout + normal account) will lock the users account. 我认为将其设置为528(锁定+普通帐户)将锁定用户帐户。
$entry["userAccountControl"][0]=512;
$mod=ldap_mod_replace($ds,$dn,$entry);
解决方案4
0 2014-04-22 16:46:32
I recommend counting failed bind attempts yourself using the a session variable and locking the account yourself based on that. 我建议使用会话变量自己计算失败的绑定尝试并基于此自行锁定帐户。
To lock the account, you'll need to cumulate user account control options and set the UserAccountControl attribute. 要锁定帐户,您需要累积用户帐户控制选项并设置UserAccountControl属性。
Referencing http://support.microsoft.com/kb/305144 , locking would be: 参考http://support.microsoft.com/kb/305144 ,锁定将是:
$controlOption["useraccountcontrol"][0] = '514';
$mod = ldap_modify($ds, $dn, $controlOption);
The 514 value coming from NORMAL_ACCOUNT(512) + ACCOUNTDISABLE(2). 514值来自NORMAL_ACCOUNT(512)+ ACCOUNTDISABLE(2)。
Unlocking would be a value of NORMAL_ACCOUNT, 512. 解锁将是NORMAL_ACCOUNT,512的值。
Final code: 最终代码:
for ($i = 0; $i < 10; $i++) {
$result = ldap_bind($ds, $dn, "theWrongPasswd");
if (!$result) {
$_SESSION['failed-login']++;
}
if ($_SESSION['failed-login'] >= $maxCount) {
$controlOption["useraccountcontrol"][0] = 512 + 2;
$mod = ldap_modify($ds, $dn, $controlOption);
}
}
解决方案5
-1 2014-01-21 05:52:20
Try this: 试试这个:
To unlock: 开锁:
$acctEntry["lockouttime"][0] = '1';
$mod = ldap_modify($ds, $dn, $acctEntry);
To lock: 锁定:
$acctEntry["lockouttime"][0] = '0';
$mod = ldap_modify($ds, $dn, $acctEntry);
To enable: 启用:
$acctEntry["useraccountcontrol"][0] = '512';
$mod = ldap_modify($ds, $dn, $acctEntry);
To disable: 要禁用:
$acctEntry["useraccountcontrol"][0] = '514';
$mod = ldap_modify($ds, $dn, $acctEntry);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.