[英]How to retrieve user info fra a Active Directory Security Group using LDAP and PHP
正如您在下面看到的,當我對安全組進行LDAP搜索時,我沒有收到任何用戶信息。 我想使用$_SERVER[remote_user]
來檢查用戶是否是該組的成員。 我還想檢索該用戶的信息並用它更新sql數據庫。 這可能嗎?
$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";
$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "username@mydomain.local", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);
print_r($entries);
返回此:
Array
(
[count] => 1
[0] => Array
(
[objectclass] => Array
(
[count] => 2
[0] => top
[1] => group
)
[0] => objectclass
[cn] => Array
(
[count] => 1
[0] => Intra
)
[1] => cn
[description] => Array
(
[count] => 1
[0] => Group for (LDAP) INTRANET server access
)
[2] => description
[member] => Array
(
[count] => 4
[0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
[1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
[2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
[3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
)
[3] => member
[distinguishedname] => Array
(
[count] => 1
[0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
[4] => distinguishedname
[instancetype] => Array
(
[count] => 1
[0] => 4
)
[5] => instancetype
[whencreated] => Array
(
[count] => 1
[0] => 20100711172407.0Z
)
[6] => whencreated
[whenchanged] => Array
(
[count] => 1
[0] => 20100712063949.0Z
)
[7] => whenchanged
[usncreated] => Array
(
[count] => 1
[0] => 17491499
)
[8] => usncreated
[usnchanged] => Array
(
[count] => 1
[0] => 17498823
)
[9] => usnchanged
[name] => Array
(
[count] => 1
[0] => Intra
)
[10] => name
[objectguid] => Array
(
[count] => 1
[0] =>
)
[11] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
[12] => objectsid
[samaccountname] => Array
(
[count] => 1
[0] => Intra
)
[13] => samaccountname
[samaccounttype] => Array
(
[count] => 1
[0] => 268435456
)
[14] => samaccounttype
[grouptype] => Array
(
[count] => 1
[0] => -2147483646
)
[15] => grouptype
[objectcategory] => Array
(
[count] => 1
[0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
)
[16] => objectcategory
[count] => 17
[dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
)
當我使用普通DN時,一切正常:
$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";
但AD專家告訴我這是一個很大的NO-NO,我應該使用安全組:
像這樣查詢AD:
$dn = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr = ldap_search($ad, $dn, $filter);
查看有關更復雜過濾器信息的LDAP搜索過濾器語法的MSDN文章 。
請務必注意該頁面上的特殊字符部分。 正確的解決方案必須通過轉義機制傳遞$group_DN
才能在過濾字符串中使用它!
始終嘗試盡可能具體地構建過濾器。 讓LDAP服務器整理出你不想要的記錄更有效率,而不是通過網絡傳輸的記錄多於你需要的記錄,並將一半記錄丟棄在客戶端上。
托默勒格
我認為問題是並非安全組中的所有用戶都來自同一個OU。
如果我改變
$dn = "DC=mydomain,DC=local";
至
$dn = "OU=Bergen,DC=mydomain,DC=local";
過濾器工作。 但我還有2個用戶的OU。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.