[英]Getting user credentials from Active Directory using LDAP
我有一個使用Laravel框架編寫的應用程序,可以直接從Active Directory中獲取有關用戶的詳細信息。
步驟如下:
$user_ip = $request->ip(); 用戶被重定向到本地托管服務器上的域,該服務器包含以下腳本:
<head> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <title>Newable Intranet</title> </head> <body> <div id="container"> <?php $login = $_SERVER['AUTH_USER']; $username = substr($_SERVER['AUTH_USER'], 6); //LDAP Bind paramters, need to be a normal AD User account. $ldap_password = 'xxxxxx'; $ldap_username = 'xxxxxx'; $ldap_connection = ldap_connect("xxxxxx"); if (FALSE === $ldap_connection) { // Uh-oh, something is wrong... echo 'Unable to connect to the ldap server'; } else{ // Do nothing } // We have to set this option for the version of Active Directory we are using. ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search. if (TRUE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) { //Your domains DN to query $ldap_base_dn = 'OU=users,OU=company,DC=gleps,DC=local'; //Get standard users and contacts $search_filter = '(|(objectCategory=user)(objectCategory=person))'; //Connect to LDAP $result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter); if (FALSE !== $result) { $entries = ldap_get_entries($ldap_connection, $result); // Uncomment the below if you want to write all entries to debug somethingthing // var_dump($entries); //For each account returned by the search for ($x=0; $x<$entries['count']; $x++) { //Windows Usernaame $LDAP_samaccountname = ""; if (!empty($entries[$x]['samaccountname'][0])) { $LDAP_samaccountname = $entries[$x]['samaccountname'][0]; if ($LDAP_samaccountname == "NULL") { $LDAP_samaccountname= ""; } } else { //#There is no samaccountname s0 assume this is an AD contact record so generate a unique username $LDAP_uSNCreated = $entries[$x]['usncreated'][0]; $LDAP_samaccountname= "CONTACT_" . $LDAP_uSNCreated; } //Container Name $LDAP_ContainerName = ""; if (!empty($entries[$x]['cn'][0])) { $LDAP_ContainerName= $entries[$x]['cn'][0]; if ($LDAP_ContainerName == "NULL") { $LDAP_ContainerName = ""; } } //Department $LDAP_Department = ""; if (!empty($entries[$x]['department'][0])) { $LDAP_Department = $entries[$x]['department'][0]; if ($LDAP_Department == "NULL"){ $LDAP_Department = ""; } } //Location $LDAP_Office = ""; if (!empty($entries[$x]['physicaldeliveryofficename'][0])) { $LDAP_Office = $entries[$x]['physicaldeliveryofficename'][0]; if ($LDAP_Office == "NULL"){ $LDAP_Office = ""; } } //Display Name $LDAP_Display = ""; if (!empty($entries[$x]['displayname'][0])) { $LDAP_Display = $entries[$x]['displayname'][0]; if ($LDAP_Display == "NULL") { $LDAP_Display = ""; } } $LDAP_JobTitle = ""; if (!empty($entries[$x]['title'][0])) { $LDAP_JobTitle = $entries[$x]['title'][0]; if ($LDAP_JobTitle == "NULL"){ $LDAP_JobTitle = ""; } } $LDAP_MngUN = ""; if (!empty($entries[$x]['samaccountname'][0])) { $LDAP_MngUN = $entries[$x]['samaccountname'][0]; if ($LDAP_MngUN == "NULL") { $LDAP_MngUN= ""; } } else { //#There is no samaccountname s0 assume this is an AD contact record so generate a unique username $LDAP_uSNCreated = $entries[$x]['usncreated'][0]; $LDAP_MngUN = "CONTACT_" . $LDAP_uSNCreated; } //Last Name $LDAP_MngCN = ""; if (!empty($entries[$x]['cn'][0])) { $LDAP_MngCN = $entries[$x]['cn'][0]; if ($LDAP_MngCN == "NULL"){ $LDAP_MngCN = ""; } } //Email address $LDAP_InternetAddress = ""; if (!empty($entries[$x]['mail'][0])) { $LDAP_InternetAddress = $entries[$x]['mail'][0]; if ($LDAP_InternetAddress == "NULL"){ $LDAP_InternetAddress = ""; } } //Telephone Number $LDAP_DDI = ""; if (!empty($entries[$x]['telephonenumber'][0])) { $LDAP_DDI = $entries[$x]['telephonenumber'][0]; if ($LDAP_DDI == "NULL"){ $LDAP_DDI = ""; } } //Mobile Number $LDAP_CellPhone = ""; if (!empty($entries[$x]['mobile'][0])) { $LDAP_CellPhone = $entries[$x]['mobile'][0]; if ($LDAP_CellPhone == "NULL"){ $LDAP_CellPhone = ""; } } if ($LDAP_samaccountname == $username) { ?> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script type="text/javascript"> var UN = "<?php echo $LDAP_samaccountname ?>"; var CN = "<?php echo $LDAP_ContainerName ?>"; var DN = "<?php echo $LDAP_Display ?>"; var JT = "<?php echo $LDAP_JobTitle ?>"; var DP = "<?php echo $LDAP_Department ?>"; var OF = "<?php echo $LDAP_Office ?>"; var EM = "<?php echo $LDAP_InternetAddress ?>"; var DD = "<?php echo $LDAP_DDI ?>"; var MO = "<?php echo $LDAP_CellPhone ?>"; var MUN = "<?php echo $LDAP_MngUN ?>"; var MCN = "<?php echo $LDAP_MngCN ?>"; var form = $(document.createElement('form')); $(form).attr("action", "https://mynewable.co.uk/"); $(form).attr("method", "POST"); $(form).css("display", "none"); var input_User_name = $("<input>") .attr("type", "text") .attr("name", "UN") .val(UN); $(form).append($(input_User_name)); var input_Container_name = $("<input>") .attr("type", "text") .attr("name", "CN") .val(CN); $(form).append($(input_Container_name)); var input_Display_name = $("<input>") .attr("type", "text") .attr("name", "DN") .val(DN); $(form).append($(input_Display_name)); var input_Job_title = $("<input>") .attr("type", "text") .attr("name", "JT") .val(JT); $(form).append($(input_Job_title)); var input_Department = $("<input>") .attr("type", "text") .attr("name", "DP") .val(DP); $(form).append($(input_Department)); var input_Department = $("<input>") .attr("type", "text") .attr("name", "DP") .val(DP); $(form).append($(input_Department)); var input_Office = $("<input>") .attr("type", "text") .attr("name", "OF") .val(OF); $(form).append($(input_Office)); var input_Email = $("<input>") .attr("type", "text") .attr("name", "EM") .val(EM); $(form).append($(input_Email)); var input_DDI = $("<input>") .attr("type", "text") .attr("name", "DD") .val(DD); $(form).append($(input_DDI)); var input_Mobile = $("<input>") .attr("type", "text") .attr("name", "MO") .val(MO); $(form).append($(input_Mobile)); var input_Manager_Uname = $("<input>") .attr("type", "text") .attr("name", "MUN") .val(MUN); $(form).append($(input_Manager_Uname)); var input_Manager_Cname = $("<input>") .attr("type", "text") .attr("name", "MCN") .val(MCN); $(form).append($(input_Manager_Cname)); var Tholia = $("<input>") .attr("type", "text") .attr("name", "Tholia") .val("TRUE"); $(form).append($(Tholia)); var input_conf = $("<input>") .attr("type", "text") .attr("name", "confirmation") .val("1"); $(form).append($(input_conf)); var sub = $("<input>") .attr("type", "submit") .val("submit"); $(form).append($(sub)); form.appendTo( document.body ); $(form).submit(); </script> <?php } } } } ?> </div> </body> </html> 之所以采用這種方法,是因為我無法直接從Web服務器連接到AD,但是在用戶詳細信息上發布消息似乎使我對安全漏洞開放。
當然必須有更好的方法嗎?
您應該使用適合您描述的用例的規范; 像OpenID Connect。
如何在php中使用LDAP從Active Directory搜索和更新用戶數據?
[英]How search and update user data from Active Directory using LDAP in php?
通過網站上的私有IP LDAP / Active Directory進行用戶身份驗證
[英]User authentication through private IP LDAP/Active Directory from website
通過 Active Directory 使用 LDAP 在 PHP 中進行身份驗證
[英]Authenticating in PHP using LDAP through Active Directory
PHP ldap_connect使用ldaps連接到Active Directory時遇到未知CA錯誤
[英]PHP ldap_connect using ldaps to connect to Active Directory getting Unknown CA error
PHP-LDAP無需使用管理員帳戶即可在Active Directory中更改用戶密碼
[英]PHP - LDAP change user passwords in Active Directory without using administrator account
如何使用LDAP和PHP從Active Directory安全組中檢索用戶信息
[英]How to retrieve user info fra a Active Directory Security Group using LDAP and PHP
PHP-針對Windows 2003 Active Directory的LDAP身份驗證(用戶名不同於名字和姓氏)
[英]PHP - LDAP authentication against Windows 2003 Active Directory (User ID different from First Name and Last Name)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.