堆栈内存溢出
  简体   繁体   English

PHP/AD/LDAP:嵌套组成员

[英]PHP/AD/LDAP: Nested group memberships

 原文  2011-03-14 12:45:32       php/ active-directory/ ldap

问题描述

I'm working on a PHP/Active Directory auth class, but would like to know how to resolve nested group memberships.我正在研究 PHP/Active Directory auth class,但想知道如何解决嵌套组成员身份。 It's a mess to make each user member of all needed groups, so I'd like to make use of groups in groups.让每个用户成为所有需要的组的成员是一团糟,所以我想在组中使用组。 How should I tackle this with LDAP?我应该如何用 LDAP 解决这个问题?

Code: http://pastie.org/private/ypuwba1cwnqklre4yhgr7g代码: http://pastie.org/private/ypuwba1cwnqklre4yhgr7g

2 个解决方案

解决方案1
 0 已采纳  2011-03-14 14:28:22

adLDAP is an open source solution for LDAP/AD in php. adLDAP是php中LDAP / AD的开源解决方案。

you can check it's code if you wish to create an auth class yourself, or just use it in your auth class to handle all interactions with the LDAP/AD 如果您希望自己创建一个auth类,或者可以在auth类中使用它来处理与LDAP / AD的所有交互,则可以检查它的代码

you can get it here 你可以在这里得到

解决方案2
 0  2022-08-20 21:21:45

This is an old question, but it is still very hard to finde the proper solution for recursively testing if a user (distinguished name) is member of an AD group (indirect membership), using LDAP.这是一个老问题,但如果用户(专有名称)是 AD 组(间接成员)的成员,使用 LDAP 进行递归测试,仍然很难找到合适的解决方案。

The solution is TokenGroups , and here is some sample code.解决方案是TokenGroups ,这里是一些示例代码。

function memberOf($userDN, $groupDN)
{
    
    if (!$this->connection) {
        throw new SSOException('LDAP connectin required');
    }
    
    // Get the group's SID
    $result = @ldap_read($this->connection, $groupDN, "CN=*", ["objectsid"]);
    if (!$result) {
        throw new SSOException('No such group: '.$groupDN);
    }
    $data = ldap_get_entries($this->connection, $result);
    if (($data['count'] > 0) && ($data[0]['objectsid']['count'] > 0)) {
        $groupSID = $data[0]['objectsid'][0];
    } else {
        throw new SSOException('Found no SID for group ['.$groupDN.']');
    }
    
    // TokenGroup will also include indirect memberships
    $result = @ldap_read($this->connection, $userDN, "CN=*", ["tokengroups"]);
    if (!$result) {
        throw new SSOException('No such user ['.$userDN.']');
    }
    $data = ldap_get_entries($this->connection, $result);
    if ($data['count'] > 0) {
        $groups = $data[0]['tokengroups'];
        unset($groups['count']);
        return in_array($groupSID, $groups);
    } else {
        throw new SSOException('No TokenGroups for user ['.$userDN.']');
        return false;
    }
}

Note, that SSOException is a custom class.请注意, SSOException是自定义 class。 Hope, this snippet saves someone a few hours of Google, Trial, and Error.希望这个片段可以为某人节省几个小时的 Google、Trial 和 Error 时间。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用php和LDAP验证AD组成员身份 - Validate AD group membership with php and LDAP 使用PHP LDAP获取组成员的AD属性 - Get AD attributes of members of a group using PHP LDAP 使用ldap / php查询AD - querying AD using ldap / php 组的PHP LDAP成员 - PHP LDAP member of a group 无法在php中使用ldap_search为用户找到Windows AD组 - unable to locate windows AD group for user using ldap_search in php 疯狂LDAP(AD)密码更新问题(php) - Crazy LDAP (AD) password update problem (php) AD / LDAP和PHP密码策略实施 - AD/LDAP and PHP Password Policy Enforcement PHP LDAP-通过广告组保护对象 - PHP LDAP - Securing objects by AD Groups 通过LDAP通过AD认证通过PHP的AD - Authenticating AD via LDAP with a TRUST via PHP PHP LDAP获取组成员 - PHP LDAP Get Members of a group
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM