[英]PHP LDAP get user SID
I don't know how to get users unique identifier (SID) in AD. 我不知道如何在AD中获取用户唯一标识符(SID)。 Code fragment: 代码片段:
...
$filter="(&(samaccountname=".$this->username.")(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP_NAME,OU=Security,DC=something,DC=something))";
$attribute = array("cn","objectsid","description", "group", "member", "samaccountname");
$sr=ldap_search($this->conn_ldap, $this->ldap_dn, $filter, $attribute);
if ($sr)
{
$this->info = ldap_get_entries($this->conn_ldap, $sr);
if ($this->info["count"] == 1){
ldap_close($this->conn_ldap);
return true;
}
...
i can pull information with: 我可以提取信息:
echo $this->info[0]["cn"][0];
or 要么
echo $this->info[0]["objectsid"][0];
In first output i can see users name in secound something like 0 @ d^ WL7 U
I believe sid should be like S-......
? 在第一个输出中我可以看到用户的名字在类似0 @ d^ WL7 U
我相信sid应该像S-......
?
I found a solution on another website (see below). 我在另一个网站上找到了解决方案(见下文)。 Basically this function is converter and makes SID visible: 基本上这个功能是转换器,使SID可见:
public static function SIDtoString($ADsid)
{
$sid = "S-";
//$ADguid = $info[0]['objectguid'][0];
$sidinhex = str_split(bin2hex($ADsid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0])."-";
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid."-".hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
return $sid;
}
https://www.null-byte.org/development/php-active-directory-ldap-authentication/ https://www.null-byte.org/development/php-active-directory-ldap-authentication/
As an alternative example, this can be done completely using PHP's unpack function. 作为替代示例,这可以使用PHP的解包功能完全完成。 The objectSid binary structure is best documented on this MSDN doc : objectSid二进制结构最好记录在此MSDN文档中 :
Revision (1 byte) : An 8-bit unsigned integer that specifies the revision level of the SID. 版本(1字节) :一个8位无符号整数,指定SID的修订级别。 This value MUST be set to 0x01. 该值必须设置为0x01。
SubAuthorityCount (1 byte) : An 8-bit unsigned integer that specifies the number of elements in the SubAuthority array. SubAuthorityCount(1字节) :一个8位无符号整数,指定SubAuthority数组中的元素数。 The maximum number of elements allowed is 15. 允许的最大元素数为15。
IdentifierAuthority (6 bytes) : A SID_IDENTIFIER_AUTHORITY structure that indicates the authority under which the SID was created. IdentifierAuthority(6字节) :SID_IDENTIFIER_AUTHORITY结构,指示创建SID的权限。 It describes the entity that created the SID. 它描述了创建SID的实体。 The Identifier Authority value {0,0,0,0,0,5} denotes SIDs created by the NT SID authority. 标识符权限值{0,0,0,0,0,5}表示由NT SID权限创建的SID。
SubAuthority (variable) : A variable length array of unsigned 32-bit integers that uniquely identifies a principal relative to the IdentifierAuthority. SubAuthority(变量) :无符号32位整数的可变长度数组,唯一标识相对于IdentifierAuthority的主体。 Its length is determined by SubAuthorityCount. 其长度由SubAuthorityCount决定。
/**
* Decode the binary SID into its readable form.
*
* @param string $value
* @return string
*/
function decodeSID($value)
{
# revision - 8bit unsigned int (C1)
# count - 8bit unsigned int (C1)
# 2 null bytes
# ID - 32bit unsigned long, big-endian order
$sid = @unpack('C1rev/C1count/x2/N1id', $value);
$subAuthorities = [];
if (!isset($sid['id']) || !isset($sid['rev'])) {
throw new \UnexpectedValueException(
'The revision level or identifier authority was not found when decoding the SID.'
);
}
$revisionLevel = $sid['rev'];
$identifierAuthority = $sid['id'];
$subs = isset($sid['count']) ? $sid['count'] : 0;
// The sub-authorities depend on the count, so only get as many as the count, regardless of data beyond it
for ($i = 0; $i < $subs; $i++) {
# Each sub-auth is a 32bit unsigned long, little-endian order
$subAuthorities[] = unpack('V1sub', hex2bin(substr(bin2hex($value), 16 + ($i * 8), 8)))['sub'];
}
# Tack on the 'S-' and glue it all together...
return 'S-'.$revisionLevel.'-'.$identifierAuthority.implode(
preg_filter('/^/', '-', $subAuthorities)
);
}
This works on 64bit systems and I think is more succinct. 这适用于64位系统,我认为更简洁。
function bin_to_str_sid($binsid) {
$parts = unpack('Crev/x/nidhigh/Nidlow', $binsid);
$ssid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
$parts = unpack('x8/V*', $binsid);
if ($parts) $ssid .= '-';
$ssid .= join('-', $parts);
return $ssid;
}
Is old post but I do some combination what I find useful and this function is the ultimate function for binary to SID translations: 是旧帖子,但我做了一些我觉得有用的组合,这个函数是二进制到SID翻译的终极功能:
// Binary to SID
function bin_to_str_sid($binary_sid) {
$sid = NULL;
/* 64bt PHP */
if(strlen(decbin(~0)) == 64)
{
// Get revision, indentifier, authority
$parts = unpack('Crev/x/nidhigh/Nidlow', $binary_sid);
// Set revision, indentifier, authority
$sid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
// Translate domain
$parts = unpack('x8/V*', $binary_sid);
// Append if parts exists
if ($parts) $sid .= '-';
// Join all
$sid.= join('-', $parts);
}
/* 32bit PHP */
else
{
$sid = 'S-';
$sidinhex = str_split(bin2hex($binary_sid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0]).'-';
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid.'-'.hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
}
return $sid;
}
Now you can chillout and use this function in any PHP version. 现在你可以在任何PHP版本中使用chillout并使用此函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.