如何在php中通过ldap获取活动目录的密码?
我在 Active Directory 中遇到密码问题。 我想从用户的“用户名”获取密码 我尝试了“ldap_search”功能,但没有找到正确的密码属性 我尝试过:password、userpassword、userPassword、unicodePwd、unicodepwd,但它们不正确。
我期待着大家的帮助 谢谢大家:D 坦率地
I have problem about password in Active Directory.
I want to get password from "username" of user
I tried function "ldap_search", but I do not find correctly attribute for password
I tried as: password, userpassword, userPassword, unicodePwd, unicodepwd, but they are not correct.
I look forward to helping of everyone
Thanks for all :D
trankinhly
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
Active Directory 中的密码不可检索。它们也不在大多数目录中。 (eDirectory 有一个密码策略,如果您绑定为指定用户,则可以通过 LDAP 扩展检索密码)
某些目录可能允许您恢复散列版本,但这也不是那么好。
为了跨平台,最好尝试使用提供的值进行绑定,要么成功,要么失败。此外,LDAP 表示使用空白密码的绑定实际上是匿名绑定,这可能会成功,因此您需要过滤这种情况。
一旦绑定为用户,您就可以查看他们的组成员身份(因为通常他们可以看到自己的组成员身份)或查看其他一些属性,如果他们可以读取这些属性,则意味着他们拥有一定级别的权限。 (即实施授权和身份验证)。
Passwords in Active Directory are not retrievable. Nor are they in most directories. (eDirectory has a password policy, that if you bind as the specified user, then you can retrieve passwords via LDAP extensions)
Some directories might let you recover the hashed versions, but that is not that great either.
To be cross platform, it is better to try and bind with the values provided and either succeed or fail. Additionally, LDAP says a bind with a blank password is actually an anonymous bind, which will probably succeed, so you need to filter for that case.
Once bound as the user, you could look at their group memberships (since usually they can see their own) or look at some other attribute, which if they can read it, means they have some level of rights. (I.e. Implement authorization as well as authentication).
我刚刚查询了在 MS-Windows Server 2003 上运行的 Active Directory(在 Ubuntu 10.04 中使用
ldapsearch),似乎只能检索到以下内容,并注意密码不存在。您还可以参考:
I just queried an Active Directory (using
ldapsearchin Ubuntu 10.04) running on a MS-Windows Server 2003, and it seem only the following can be retrieved and note that the password is not there.You may also refer:
AD 不以纯文本形式存储密码。密码哈希值存储在 unicodePwd 中。该属性只能使用 ldapi 接口检索。常规 ldap_search 不会返回任何内容。
AD does not store the password in plain text. The password hash is stored in unicodePwd. This attribute can be only retrieved using ldapi interface. The regular ldap_search will not return anything.