[英]PHP/ldap_bind Active Directory can't authenticate OU, but can authenticate with default user group
Using the following code, I can authenticate any user that is a member of the domain's default Users group. 使用以下代码,我可以验证作为域的默认Users组成员的任何用户。 For example, I created a user, CN=test as listed below.. 例如,我创建了一个用户,CN = test,如下所示。
CN=test,CN=Users,DC=company,DC=lcl CN =测试,CN =用户,DC =公司,DC = LCL
The code that works is.. 有效的代码是..
$ldap_resource = ldap_connect( 'company-dc' );
ldap_set_option($ldap_resource, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap_resource, LDAP_OPT_REFERRALS, 0);
if( $bind = ldap_bind( $ldap_resource, 'domain\\test', '*******' ) ) {
die('connected');
}
else {
die('No connection');
}
When I try to authenticate a user within OU=Office Users,OU=Company,DC=company,DC=lcl it fails with the error Unable to bind to server: Invalid credentials . 当我尝试在OU = Office用户,OU =公司,DC =公司,DC = lcl中对用户进行身份验证时,它失败并显示错误无法绑定到服务器:凭据无效 。 I have verified that the user and password are correct with multiple users. 我已经验证了多个用户的用户和密码是否正确。
I am using the exact same code as above, the only difference is the username and password, the domain is the same. 我使用与上面完全相同的代码,唯一的区别是用户名和密码,域名是相同的。
Can Authenticate in: 可以验证:
company.lcl company.lcl
-- Users - 用户
Cannot Authenticate in : 无法进行身份验证:
company.lcl company.lcl
--Company - 公司
----Office Users ----办公用户
If the OU changes behavior then you probably have a group policy bound to one OU but not to the other. 如果OU更改了行为,那么您可能将组策略绑定到一个OU但不绑定到另一个OU。 I'm not entirely sure, but I could imagine that a GPO enforces a secure channel for authentication and you need to use LDAP over SSL. 我不完全确定,但我可以想象GPO强制执行安全通道进行身份验证,您需要使用LDAP over SSL。 Can you move one user account from the Users OU to the Company/Office Users OU and see if it stops working (or the other way around)? 您是否可以将一个用户帐户从用户OU移动到公司/ Office用户OU,看看它是否停止工作(或相反)?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.