通过 PHP 使用 TRUST 通过 LDAP 对 AD 进行身份验证
我的 php 代码可以按预期工作,使用 LDAP 对 Active Directory 域进行用户身份验证。同一域现在启用了单向信任 - 受信任域中的用户似乎不可见。
名为“mygroup”的示例组,其成员为:
local_dir_1 本地目录2 foreign_dir_1
使用过滤器查询:
(memberof=CN=mygroup,ou=....,dc=...)
返回以下成员:
local_dir_1 local_dir_2
然而,在域控制器内,所有 3 个用户都作为组成员可见。
我假设针对受信任域的用户身份验证失败,因为我有错误的基本 DN 或类似名称,因此想要枚举组成员以更好地了解外部用户的显示方式。
是否有人成功执行 LDAP 搜索并从受信任域中存在的对象获取数据?
I've got php code that works as expected to authenticate a user against an Active Directory domain using LDAP. The same domain now has a one-way trust enabled - users in the trusted domain don't appear to be visible.
Example group named "mygroup" with the members:
local_dir_1
local_dir_2
foreign_dir_1
Queried with the filter:
(memberof=CN=mygroup,ou=....,dc=...)
Returns the following members:
local_dir_1
local_dir_2
Within the domain controller however all 3 users are visible as members of the group.
I assumed authentication for users against the trusted domain were failing as I had the wrong base DN or similar so wanted to enumerate the group members to better understand how the foreign users would appear.
Has anyone experienced success executing LDAP searched and obtaining data from objects that exist within a trusted domain?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果通过 LDAPS 进行通信,目录可能会提供更多信息(但未经验证),但在直接 LDAP 下,无法访问任何外部目录 samaccountnames。
所有信息均通过 Kerberos 身份验证消息传递可见 - 即,如果您通过 Samba 将 UNIX 服务器加入域,则 Samba 工具具有完全可见性。
If communicating via LDAPS the directory may provide more information (not verified however), but under straight LDAP none of the foreign directory samaccountnames are accessible.
All information is visible via Kerberos authenticated messaging - i.e. if you join a unix server to the domain via Samba then the Samba tools have full visibility.