[英]PHP/AD/LDAP: Nested group memberships
I'm working on a PHP/Active Directory auth class, but would like to know how to resolve nested group memberships.我正在研究 PHP/Active Directory auth class,但想知道如何解决嵌套组成员身份。 It's a mess to make each user member of all needed groups, so I'd like to make use of groups in groups.
让每个用户成为所有需要的组的成员是一团糟,所以我想在组中使用组。 How should I tackle this with LDAP?
我应该如何用 LDAP 解决这个问题?
Code: http://pastie.org/private/ypuwba1cwnqklre4yhgr7g代码: http://pastie.org/private/ypuwba1cwnqklre4yhgr7g
adLDAP is an open source solution for LDAP/AD in php. adLDAP是php中LDAP / AD的开源解决方案。
you can check it's code if you wish to create an auth class yourself, or just use it in your auth class to handle all interactions with the LDAP/AD 如果您希望自己创建一个auth类,或者可以在auth类中使用它来处理与LDAP / AD的所有交互,则可以检查它的代码
This is an old question, but it is still very hard to finde the proper solution for recursively testing if a user (distinguished name) is member of an AD group (indirect membership), using LDAP.这是一个老问题,但如果用户(专有名称)是 AD 组(间接成员)的成员,使用 LDAP 进行递归测试,仍然很难找到合适的解决方案。
The solution is TokenGroups
, and here is some sample code.解决方案是
TokenGroups
,这里是一些示例代码。
function memberOf($userDN, $groupDN)
{
if (!$this->connection) {
throw new SSOException('LDAP connectin required');
}
// Get the group's SID
$result = @ldap_read($this->connection, $groupDN, "CN=*", ["objectsid"]);
if (!$result) {
throw new SSOException('No such group: '.$groupDN);
}
$data = ldap_get_entries($this->connection, $result);
if (($data['count'] > 0) && ($data[0]['objectsid']['count'] > 0)) {
$groupSID = $data[0]['objectsid'][0];
} else {
throw new SSOException('Found no SID for group ['.$groupDN.']');
}
// TokenGroup will also include indirect memberships
$result = @ldap_read($this->connection, $userDN, "CN=*", ["tokengroups"]);
if (!$result) {
throw new SSOException('No such user ['.$userDN.']');
}
$data = ldap_get_entries($this->connection, $result);
if ($data['count'] > 0) {
$groups = $data[0]['tokengroups'];
unset($groups['count']);
return in_array($groupSID, $groups);
} else {
throw new SSOException('No TokenGroups for user ['.$userDN.']');
return false;
}
}
Note, that SSOException
is a custom class.请注意,
SSOException
是自定义 class。 Hope, this snippet saves someone a few hours of Google, Trial, and Error.希望这个片段可以为某人节省几个小时的 Google、Trial 和 Error 时间。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.