php_ldap 克服 ssl 困难
我正在尝试从 Ubuntu (hardy 8.04LTS) 主机使用 php_ldap (使用 ADLdap)绑定到 AD。 绑定到端口 389 可以很好地绑定到 ldap://myserver,但不允许我执行诸如设置密码之类的操作,因此我需要绑定到端口 636 到 ldaps://myserver。
我知道会发生某种形式的凭证传递,也许是通过证书,但我真的很难让任何东西正常工作 - LDAP 上的绑定失败。
测试平台 AD 有一个容器 Users,位于 mydom.local 域中 我在 Users 容器中用于 bindis 的帐户,
'CN=LDAP BIND,OU=Users,DC=mydom,DC=local' and a password of 'mypass'
其 sAMAccount 名称的 DN 是 ldap
我怀疑我要么需要在 ubuntu 机器上安装一些额外的软件包,要么对 Windows 服务器上的 AD 进行一些魔法,或者做一些证书抢夺的东西,但我被困住了。
只是添加一些细节,如果我尝试从命令行使用 ldapsearch 连接来搜索某个名为 install 的用户,我会得到
ldapsearch -vv -H 'ldaps://server.mydom.local' -Y DIGEST-MD5 -X 'dn:CN=LDAP BIND,OU=Users,DC=mydom,DC=local' sAMAccountname=install -U 'u:LDAP BIND'
ldap_initialize( ldaps://server.mydom.local:636/??base )
SASL/DIGEST-MD5 authentication started
Please enter your password: mypass
ldap_sasl_interactive_bind_s: Invalid credentials (49)
正如我所说,我可以成功绑定到 389。
我已经安装在ubuntu 盒子 ldap-utils、libldap、php5-ldap 和 /etc/ldap/ldap.conf 是:
TLS_REQCERT never
BINDDN 'CN=LDAP BIND,OU=Users,DC=mydom,DC=local'
URI ldaps://server.mydom.local
有什么建议吗?
I am trying to bind to AD with php_ldap (using ADLdap), from a Ubuntu (hardy 8.04LTS) host.
Binding on port 389 is fine to ldap://myserver, but does not allow me to do things like set password, so I need to bind on port 636 to ldaps://myserver.
I am aware that some form of credential passing occurs, perhaps with certificates, but I am really struggling to get anything working - the bind fails on ldaps.
The test rig AD has a container Users, in domain mydom.local
The account I am using to bindis in the Users container, and has a DN of
'CN=LDAP BIND,OU=Users,DC=mydom,DC=local' and a password of 'mypass'
its sAMAccount name is ldap
I suspect I either need to install some extra packages on the ubuntu box, or do some magic to AD on the windows server, or do some certificate grabbing stuff, but I am stuck.
Just to add some detail, if I try to connect from the command line with ldapsearch to search for some user called install, I get
ldapsearch -vv -H 'ldaps://server.mydom.local' -Y DIGEST-MD5 -X 'dn:CN=LDAP BIND,OU=Users,DC=mydom,DC=local' sAMAccountname=install -U 'u:LDAP BIND'
ldap_initialize( ldaps://server.mydom.local:636/??base )
SASL/DIGEST-MD5 authentication started
Please enter your password: mypass
ldap_sasl_interactive_bind_s: Invalid credentials (49)
As I say, I can successfully bind on 389.
I have installed on the ubuntu box ldap-utils, libldap, php5-ldap, and /etc/ldap/ldap.conf is:
TLS_REQCERT never
BINDDN 'CN=LDAP BIND,OU=Users,DC=mydom,DC=local'
URI ldaps://server.mydom.local
Any advice?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
啊哈!找到它 - 为了通过 ssl 绑定到 AD,你需要安装 libsasl2-modules-gssapi-mit - 所以在 ubuntu 使用上
我在这里找到了答案: https://help.ubuntu.com/community/ActiveDirectoryHowto
这使我所有的绑定问题都消失了。
显然,如果您这样做是为了允许 ADLdap 更改密码,则您绑定的用户将需要在 AD 服务器上有足够的权限。
Aha ! Found it - in order to bind to AD over ssl, you need to install libsasl2-modules-gssapi-mit - so on ubuntu use
I found the answer here: https://help.ubuntu.com/community/ActiveDirectoryHowto
This made all my bind issues go away.
Obviously, if you are doing this to allow ADLdap to change passwords, the user you bind with will need sufficient permissions on the AD server.