stackoom
  简体   繁体   中英

How to know the objectGUID of a user that successfully authenticated with LDAP bind

 原文  2016-08-25 16:50:28       php/ authentication/ active-directory/ ldap

Question

I have:

  • a PHP application on a linux server
  • a (windows server 2012) domain controller

I want to make it possible for AD users to log in the PHP application. The PHP application will associate data to the user, so i need to create the user in my database.

When a new user is created in the PHP application, the administrator chooses from a list of the userPrincipalName of the AD users. When a userPrincipalName is chosen, the PHP gets the objectGUID of this user and stores it in the database. Indeed, as the UPN could change, i can not rely on that to uniquely identify the user. Also, i want that if the UPN changes, the user can sill log in seamlessly to the PHP application, with his new UPN.

When a user wants to log in my application, the PHP receives a username and a password, and pass them to ldap_bind to check if the credentials are valid. The problem at that point is that ldap bind gives no clue of what user he actually identified (ldap_bind has a complicated logic of validating a login/password ( https://msdn.microsoft.com/en-us/library/cc223499.aspx )).

The most atomic (and hence, reliable) way of doing it would be if ldap bind was returning the objectGUID... But it doesn't, and i won't code the logic of ldap bind in PHP to find which user he has actually identified (it would be buggy anyway because of race condition if the directory change between the ldap bind and my "manual" search)

So what should i do to authenticate AND identify the LDAP user from PHP, if possible, in a single request to the domain controller (to get atomicity) ?

1 answers

solution1
 0 ACCPTED  2016-08-25 20:06:43

At some point in the process you need to have logic that searches for the UPN being used for the username in the login, obtain its objectGuid, and search for that objectGuid in the database. There is no other way to get that information.

If you're worried about a potential race condition (which seems like quite the edge case, given the timing between the bind and the search would be extremely tight), you could use a separate AD service account that searches for the account by UPN prior to the bind. Then in the ldap_bind for checking the user's credentials you could even use the objectGuid from the account you searched for to do the login, as that's a valid "username" for an AD bind (the GUID with curly braces around it that is).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question can bind successfully to the ldap server, but needs to know how to find user w/i AD LDAP Authenticated Bind Issue - PHP, Apache, Windows How do I retrieve the user information of a user authenticated with Apache's mod_ldap? ldap get objectguid (php ldap) with ldap_search Read from LDAP based on ObjectGUID with PHP Callback from PayPal. How to know the user paid successfully immediately? How to bind to a specific ou in ldap Is it possible to bind LDAP with current logged on user with PHP? How to PHP ldap_search() to get user OU if I don't know the OU for base DN PHP LDAP Authenticated as
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM