如何知道使用LDAP绑定成功进行身份验证的用户的objectGUID
[英]How to know the objectGUID of a user that successfully authenticated with LDAP bind
问题描述
I have: 
我有:
- a PHP application on a linux server Linux服务器上的PHP应用程序
- a (windows server 2012) domain controller 一个(Windows Server 2012)域控制器
I want to make it possible for AD users to log in the PHP application. 我希望AD用户可以登录PHP应用程序。 The PHP application will associate data to the user, so i need to create the user in my database. PHP应用程序将数据与用户关联,因此我需要在我的数据库中创建用户。
When a new user is created in the PHP application, the administrator chooses from a list of the userPrincipalName of the AD users. 在PHP应用程序中创建新用户时,管理员从AD用户的userPrincipalName列表中进行选择。 When a userPrincipalName is chosen, the PHP gets the objectGUID of this user and stores it in the database. 当选择userPrincipalName时,PHP获取该用户的objectGUID并将其存储在数据库中。 Indeed, as the UPN could change, i can not rely on that to uniquely identify the user. 实际上,由于UPN可以改变,我不能依靠它来唯一地识别用户。 Also, i want that if the UPN changes, the user can sill log in seamlessly to the PHP application, with his new UPN. 此外,我希望如果UPN发生变化,用户可以使用他的新UPN无缝登录到PHP应用程序。
When a user wants to log in my application, the PHP receives a username and a password, and pass them to ldap_bind to check if the credentials are valid. 当用户想要登录我的应用程序时,PHP会收到用户名和密码,并将它们传递给ldap_bind以检查凭据是否有效。 The problem at that point is that ldap bind gives no clue of what user he actually identified (ldap_bind has a complicated logic of validating a login/password ( https://msdn.microsoft.com/en-us/library/cc223499.aspx )). 那时的问题是ldap bind没有给出他实际识别的用户的线索(ldap_bind有一个复杂的验证登录/密码的逻辑( https://msdn.microsoft.com/en-us/library/cc223499.aspx) ))。
The most atomic (and hence, reliable) way of doing it would be if ldap bind was returning the objectGUID... But it doesn't, and i won't code the logic of ldap bind in PHP to find which user he has actually identified (it would be buggy anyway because of race condition if the directory change between the ldap bind and my "manual" search) 这样做的最原子(也就是可靠)的方法是,如果ldap bind返回了objectGUID ......但它没有,我不会在PHP中编写ldap bind的逻辑来查找他有哪个用户实际上已经确定了(如果目录在ldap bind和我的“手动”搜索之间发生变化,那么因为竞争条件会有错误)
So what should i do to authenticate AND identify the LDAP user from PHP, if possible, in a single request to the domain controller (to get atomicity) ? 那么,如果可能的话,我应该如何在对域控制器的单个请求中验证和识别来自PHP的LDAP用户(以获得原子性)?
1 个解决方案
解决方案1
0 已采纳 2016-08-25 20:06:43
At some point in the process you need to have logic that searches for the UPN being used for the username in the login, obtain its objectGuid, and search for that objectGuid in the database. 在该过程的某个时刻,您需要具有逻辑,该逻辑搜索用于登录中的用户名的UPN,获取其objectGuid,并在数据库中搜索该objectGuid。 There is no other way to get that information. 没有其他方法可以获得这些信息。
If you're worried about a potential race condition (which seems like quite the edge case, given the timing between the bind and the search would be extremely tight), you could use a separate AD service account that searches for the account by UPN prior to the bind. 如果您担心潜在的竞争条件(这看起来非常边缘,考虑到绑定和搜索之间的时间非常紧张),您可以使用单独的AD服务帐户,通过UPN先前搜索帐户绑定。 Then in the ldap_bind for checking the user's credentials you could even use the objectGuid from the account you searched for to do the login, as that's a valid "username" for an AD bind (the GUID with curly braces around it that is). 然后在ldap_bind中检查用户的凭据,您甚至可以使用您搜索的帐户中的objectGuid进行登录,因为这是AD绑定的有效“用户名”(围绕它的大括号的GUID)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.