堆栈内存溢出
  简体   繁体   English

PHP LDAP从Active Directory获取BitLocker密钥

[英]PHP LDAP get BitLocker Keys from Active Directory

 原文  2016-02-11 09:23:57       php/ ldap/ bitlocker

问题描述

I have been struggling with this for a while, I am trying to find the BitLocker Recovery Keys from AD using PHP, this is part of a tracking tool. 我一直在努力解决这个问题,我试图使用PHP从AD中找到BitLocker恢复密钥,这是跟踪工具的一部分。

I can access the computer element, and I have access to the keys but when I check for objectClass=msFVE-RecoveryInformation I dont get any data back. 我可以访问计算机元素,我可以访问密钥,但是当我检查objectClass=msFVE-RecoveryInformation我没有得到任何数据。

I am accessing the computer element like this: 我正在访问这样的计算机元素: 

$adServer = "ADSERVER";
$ldap = ldap_connect( $adServer );
$usernamead = "user";
$password = "pass";

$ldaprdn = 'domina' . "\\" . $usernamead;

ldap_set_option( $ldap, LDAP_OPT_PROTOCOL_VERSION, 3 );
ldap_set_option( $ldap, LDAP_OPT_REFERRALS, 0 );

$bind = @ldap_bind( $ldap, $ldaprdn, $password );
$username = $_COOKIE['deviceusername'];

if ( $bind ) {
    $filter="(&(Name=computername)(objectClass=computer))";
    $result = ldap_search( $ldap, "dc=domain,dc=ads", $filter );
    ldap_sort( $ldap, $result, "sn" );
    $info = ldap_get_entries( $ldap, $result );
    for ( $i=0; $i<$info["count"]; $i++ ) {
        if ( $info['count'] > 1 )
            break;
        print_r($info);
    };
}

1 个解决方案

解决方案1
 0  2018-06-13 09:03:15

This is the code part I used in our internal IT support web page. 这是我在内部IT支持网页中使用的代码部分。 May not be beautiful but it works. 可能不漂亮但它有效。 

function listKeys($querie_string){
  //Allow either the first 8 chars like in the AD Users and Computers or the whole KeyID
  $KeyID_regex = "/^(?:[A-F0-9]{8})(?:-(?:[A-F0-9]{4}-){3}[A-F0-9]{12})?$/";
  $querie_key = FALSE;
  if (preg_match($KeyID_regex,$querie_string,$rgx_result)){
    $querie_key = TRUE;
  }
  //dont forget to define them somewhere!!!
  global $host_search_ldap_base_dn, $ldap_host, $ldap_usr_dom, $ldap_search_user, $ldap_search_user_password;

  $ldap = ldap_connect($ldap_host);
  if($bind = @ldap_bind($ldap, $ldap_search_user.$ldap_usr_dom, $ldap_search_user_password)) {
    if ($querie_key == FALSE){
      $filter = sprintf("(&(cn=%s)(objectClass=computer))",$querie_string);

      $attr = array("dn");
      $result = ldap_search($ldap, $host_search_ldap_base_dn, $filter, $attr) or exit("Unable to search host dn on LDAP server");
      $entries = ldap_get_entries($ldap, $result);

      if ($entries["count"] != 1){
        ldap_unbind($ldap);
        return sprintf("invalid amount of results %d for querie %s",$entries["count"],$querie_string);
      }
    }

    if ($querie_key == TRUE){
      $filter = sprintf("(&(name=*{%s*})(objectClass=msFVE-RecoveryInformation))",$querie_string);
      $ldap_dn = $host_search_ldap_base_dn;
    } else {
      $filter = sprintf("(objectClass=msFVE-RecoveryInformation)",$querie_string);
      $ldap_dn = $entries[0]["dn"];
    }

    $attr = array("msFVE-RecoveryPassword", "name", "distinguishedName");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search for keys on LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    ldap_unbind($ldap);

    $key_list = array();
    for ($i = 0;$i<$entries["count"];$i++){
      //extract date, time and keyID
      $regex = "/(?<date>[0-9]{4}-[0-9]{2}-[0-9]{2})T(?<time>[0-9]{2}:[0-9]{2}:[0-9]{2})(.+)\{(?<keyID>[A-Z0-9\-]+)\}/";
      preg_match($regex,$entries[$i]["name"][0],$matches);

      //extract computername
      $hostname_regex = "/\},CN=(?<computer>.+?),/";
      preg_match($hostname_regex,$entries[$i]["distinguishedname"][0],$hostname_matches);

      //Create array
      $tmp = array();
      $tmp["computer"] = $hostname_matches["computer"];
      $tmp["date"] = date("Y-m-d H:i:s",strtotime($matches["date"]." ".$matches["time"]));
      $tmp["keyID"] = $matches["keyID"];
      $tmp["dn"] = $entries[$i]["distinguishedname"][0];
      $tmp["name"] = $entries[$i]["name"][0];
      $tmp["recoverypassword"] = $entries[$i]["msfve-recoverypassword"][0];
      array_push($key_list,$tmp);
    }
    //TODO Sort by date!!!
    return $key_list;
  }

}

In the end just iterate over the result if its an array: 最后只是迭代结果,如果它是一个数组: 

$keys = listKeys("myhostname");
if (is_array($keys)){
  foreach ($keys as $keyentrie) {
    //code goes here
  }
}

Hope that helps someone. 希望能帮助别人。 Downside of this approach is that if you search for a KeyID search takes about 2-5 Seconds to get results. 这种方法的缺点是,如果您搜索KeyID搜索大约需要2-5秒才能获得结果。 (Our environment hast about 10000 computer objects below the defined LDAP search base) (我们的环境在定义的LDAP搜索库下面有大约10000个计算机对象)

PS don't forget input sanitation! PS不要忘记输入卫生!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP LDAP从Active Directory获取“ Office”字段 - PHP LDAP get “Office” field from Active Directory 如何在PHP中通过ldap获取活动目录的密码? - How to get password of active directory by ldap in php? ldap活动目录PHP过滤器 - ldap active directory PHP filter ldap身份验证-活动目录和php - ldap authentication - active directory and php 使用PHP连接活动目录或LDAP - Connect an active directory or LDAP with PHP PHP将ldap绑定到活动目录 - php bind ldap to active directory 使用LDAP函数获取PHP中的Active Directory tokenGroups属性 - Using LDAP functions to get Active Directory tokenGroups attribute in PHP PHP LDAP连接可从外部服务器对Active Directory进行身份验证 - PHP LDAP Connection to Authenticate against Active Directory from External Server Active Directory中的自动完成文本框,使用PHP中的LDAP用户 - Autocomplete Textbox from Active Directory usind LDAP Users in php 使用LDAP / PHP从Active Directory检索分发列表 - Retrieve Distributions lists from Active Directory with LDAP / PHP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM