使用PHP在LDAP中的更多OU中搜索用户

Question

My task is ultimately to implement a single sign-on solution to login a user to my system, using the AD credentials stored in his work machine. I'm using the ldap_ functions in PHP .

The problem I have is that I have to check the credentials against more than one OU (around 30, for now), and I haven't found a way to obtain those OUs from the AD system, so I have a big array of OUs as a stop-gap measure. I obtained this list with ADexplorer. Is there a way to do this with PHP?

My first language is not English, so I'm having Adriano translate this for me, and I'm also having problems understanding the documentation.

At this stage, I'm basically copying this code from an example in the ldap_search manpage :

<?php
$ds=ldap_connect($ldapserver);

// 42 OUs in our case
$dn[]='OU=ABC,DC=xyz,DC=ac,DC=uk';
$dn[]='OU=DEF,DC=xyz,DC=ac,DC=uk';
// ...

$totalDns = count($dn);
for ($i = 0; $i < $totalDns; $i++) {
    $id[] = $ds;
}

$filter = 'samaccountname='.$_POST['username'];

$result = ldap_search($id,$dn,$filter);

$search = false;

foreach ($result as $value) {
    if(ldap_count_entries($ds,$value)>0){
        $search = $value;
        break;
    }
}

if($search){
    $info = ldap_get_entries($ds, $search);
}else{
    $info = 'No results found';
}

Update

I tried the solution suggested by Vladislav Ross, and, after a few seconds, the server spits this:

mod_fcgid: stderr: PHP Warning:  ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Search: Can't contact LDAP server in ... on line 28

This does not happen if I prepend a specific OU to the same search. IE if I do

$sr = ldap_search(
     $ds,
     "OU=Usuarios,dc=test,dc=com",
     "ObjectClass=organizationalUnit",
     array("")
);

instead of

$sr = ldap_search(
      $ds,
      "dc=test,dc=com",
      "ObjectClass=organizationalUnit",
      array("")
);

I do get a correct result. I tried setting the timelimit and sizelimit parameters to 0, but with the same results. I'm now consulting with the server guys to see what their limits are.

Answer 1

Try to use ldap_search with filter ObjectClass=organizationalUnit:

    $ds = ldap_connect($AD_server);
    if(!$ds) die("cannot connect to LDAP server at $AD_server.");

    $r = ldap_bind($ds, $AD_Auth_User, $AD_Auth_PWD);
    if(!$r)
    {
        ldap_get_option($ds,LDAP_OPT_ERROR_STRING,$error);
        die("cannot bind to LDAP server at $AD_server ($error).");
    };

    $sr=ldap_search($ds,"dc=test,dc=com","ObjectClass=organizationalUnit",array(""));
    $info = ldap_get_entries($ds, $sr);

    print_r($info); //<--array with OU's you need

If you don't need recurse search, use ldap_list instead of ldap_search.

Answer 2

It sounds like you want to authenticate any user in the domain. Don't search multiple DNs, just search once from the root of the domain. So instead of using 'OU=ABC,DC=xyz,DC=ac,DC=uk' , use 'DC=xyz,DC=ac,DC=uk' .

Answer 3

I haven't found a way to obtain those OUs from the AD system

Your example above suggests these OUs are direct children of DC=xyz,DC=ac,DC=uk? If so, the most efficient LDAP search to find these is:

• Search base: DC=xyz,DC=ac,DC=uk
• Search scope: onelevel <-- direct children of search base
• Search filter: (objectclass=organizationalUnit)

Test using the corresponding ldapsearch command line like this ...

ldapsearch -h <hostname> -s onelevel -b "DC=xyz,DC=ac,DC=uk" "(objectclass=organizationalUnit)"