[英]PHP LDAP get user SID
我不知道如何在AD中獲取用戶唯一標識符(SID)。 代碼片段:
...
$filter="(&(samaccountname=".$this->username.")(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP_NAME,OU=Security,DC=something,DC=something))";
$attribute = array("cn","objectsid","description", "group", "member", "samaccountname");
$sr=ldap_search($this->conn_ldap, $this->ldap_dn, $filter, $attribute);
if ($sr)
{
$this->info = ldap_get_entries($this->conn_ldap, $sr);
if ($this->info["count"] == 1){
ldap_close($this->conn_ldap);
return true;
}
...
我可以提取信息:
echo $this->info[0]["cn"][0];
要么
echo $this->info[0]["objectsid"][0];
在第一個輸出中我可以看到用戶的名字在類似0 @ d^ WL7 U
我相信sid應該像S-......
?
我在另一個網站上找到了解決方案(見下文)。 基本上這個功能是轉換器,使SID可見:
public static function SIDtoString($ADsid)
{
$sid = "S-";
//$ADguid = $info[0]['objectguid'][0];
$sidinhex = str_split(bin2hex($ADsid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0])."-";
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid."-".hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
return $sid;
}
https://www.null-byte.org/development/php-active-directory-ldap-authentication/
作為替代示例,這可以使用PHP的解包功能完全完成。 objectSid二進制結構最好記錄在此MSDN文檔中 :
版本(1字節) :一個8位無符號整數,指定SID的修訂級別。 該值必須設置為0x01。
SubAuthorityCount(1字節) :一個8位無符號整數,指定SubAuthority數組中的元素數。 允許的最大元素數為15。
IdentifierAuthority(6字節) :SID_IDENTIFIER_AUTHORITY結構,指示創建SID的權限。 它描述了創建SID的實體。 標識符權限值{0,0,0,0,0,5}表示由NT SID權限創建的SID。
SubAuthority(變量) :無符號32位整數的可變長度數組,唯一標識相對於IdentifierAuthority的主體。 其長度由SubAuthorityCount決定。
/**
* Decode the binary SID into its readable form.
*
* @param string $value
* @return string
*/
function decodeSID($value)
{
# revision - 8bit unsigned int (C1)
# count - 8bit unsigned int (C1)
# 2 null bytes
# ID - 32bit unsigned long, big-endian order
$sid = @unpack('C1rev/C1count/x2/N1id', $value);
$subAuthorities = [];
if (!isset($sid['id']) || !isset($sid['rev'])) {
throw new \UnexpectedValueException(
'The revision level or identifier authority was not found when decoding the SID.'
);
}
$revisionLevel = $sid['rev'];
$identifierAuthority = $sid['id'];
$subs = isset($sid['count']) ? $sid['count'] : 0;
// The sub-authorities depend on the count, so only get as many as the count, regardless of data beyond it
for ($i = 0; $i < $subs; $i++) {
# Each sub-auth is a 32bit unsigned long, little-endian order
$subAuthorities[] = unpack('V1sub', hex2bin(substr(bin2hex($value), 16 + ($i * 8), 8)))['sub'];
}
# Tack on the 'S-' and glue it all together...
return 'S-'.$revisionLevel.'-'.$identifierAuthority.implode(
preg_filter('/^/', '-', $subAuthorities)
);
}
這適用於64位系統,我認為更簡潔。
function bin_to_str_sid($binsid) {
$parts = unpack('Crev/x/nidhigh/Nidlow', $binsid);
$ssid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
$parts = unpack('x8/V*', $binsid);
if ($parts) $ssid .= '-';
$ssid .= join('-', $parts);
return $ssid;
}
是舊帖子,但我做了一些我覺得有用的組合,這個函數是二進制到SID翻譯的終極功能:
// Binary to SID
function bin_to_str_sid($binary_sid) {
$sid = NULL;
/* 64bt PHP */
if(strlen(decbin(~0)) == 64)
{
// Get revision, indentifier, authority
$parts = unpack('Crev/x/nidhigh/Nidlow', $binary_sid);
// Set revision, indentifier, authority
$sid = sprintf('S-%u-%d', $parts['rev'], ($parts['idhigh']<<32) + $parts['idlow']);
// Translate domain
$parts = unpack('x8/V*', $binary_sid);
// Append if parts exists
if ($parts) $sid .= '-';
// Join all
$sid.= join('-', $parts);
}
/* 32bit PHP */
else
{
$sid = 'S-';
$sidinhex = str_split(bin2hex($binary_sid), 2);
// Byte 0 = Revision Level
$sid = $sid.hexdec($sidinhex[0]).'-';
// Byte 1-7 = 48 Bit Authority
$sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]);
// Byte 8 count of sub authorities - Get number of sub-authorities
$subauths = hexdec($sidinhex[7]);
//Loop through Sub Authorities
for($i = 0; $i < $subauths; $i++) {
$start = 8 + (4 * $i);
// X amount of 32Bit (4 Byte) Sub Authorities
$sid = $sid.'-'.hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]);
}
}
return $sid;
}
現在你可以在任何PHP版本中使用chillout並使用此函數。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.