当前位置: 文江博客话题详情

仅使用 SamAccountName 和密码通过 PHP 的 LDAP 对用户进行身份验证?

发布于 2024-12-18 18:16:43 字数 611 浏览 0 评论 0原文

当我只有 SamAccountName 和密码时,如何使用 LDAP 从 PHP 进行身份验证?有没有一种方法可以仅使用 SamAccountName 和密码进行绑定,而无需使用可分辨名称。我发现的唯一示例假设您有 DN:

$server="XXX.XXX.XXX.XXX";
$dn = "cn=$username, "; 
$basedn="ou=users, ou=accounts, dc=domain, dc=com";

if (!($connect = ldap_connect($server))) { 
   die ("Could not connect to LDAP server"); 
} 

if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password))) {        
   die ("Could not bind to $dn"); 
} 

$sr = ldap_search($connect, $basedn,"$filter"); 
$info = ldap_get_entries($connect, $sr); 
$fullname=$info[0]["displayname"][0]; 
$fqdn=$info[0]["dn"];
原文

how can I authenticate from PHP using LDAP when I only have the SamAccountName and Password? Is there a way to bind with just SamAccountName and Password and without Distinguished Name. The only examples I have found assume you have the DN:

$server="XXX.XXX.XXX.XXX";
$dn = "cn=$username, "; 
$basedn="ou=users, ou=accounts, dc=domain, dc=com";

if (!($connect = ldap_connect($server))) { 
   die ("Could not connect to LDAP server"); 
} 

if (!($bind = ldap_bind($connect, "$dn" . "$basedn", $password))) {        
   die ("Could not bind to $dn"); 
} 

$sr = ldap_search($connect, $basedn,"$filter"); 
$info = ldap_get_entries($connect, $sr); 
$fullname=$info[0]["displayname"][0]; 
$fqdn=$info[0]["dn"];

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

淡写薰衣草的香 2024-12-25 18:16:43

这对我有用。我花了很多天试图弄清楚这个问题。

<?php

//We just need six varaiables here
$baseDN = 'CN=Users,DC=domain,DC=local';
$adminDN = "YourAdminDN";//this is the admin distinguishedName
$adminPswd = "YourAdminPass";
$username = 'Username';//this is the user samaccountname
$userpass = 'UserPass';
$ldap_conn = ldap_connect('ldaps://yourADdomain.local');//I'm using LDAPS here

if (! $ldap_conn) {
        echo ("<p style='color: red;'>Couldn't connect to LDAP service</p>");
    }
else {    
        echo ("<p style='color: green;'>Connection to LDAP service successful!</p>");
     }
//The first step is to bind the administrator so that we can search user info
$ldapBindAdmin = ldap_bind($ldap_conn, $adminDN, $adminPswd);

if ($ldapBindAdmin){
    echo ("<p style='color: green;'>Admin binding and authentication successful!!!</p>");

    $filter = '(sAMAccountName='.$username.')';
    $attributes = array("name", "telephonenumber", "mail", "samaccountname");
    $result = ldap_search($ldap_conn, $baseDN, $filter, $attributes);

    $entries = ldap_get_entries($ldap_conn, $result);  
    $userDN = $entries[0]["name"][0];  
    echo ('<p style="color:green;">I have the user DN: '.$userDN.'</p>');

    //Okay, we're in! But now we need bind the user now that we have the user's DN
    $ldapBindUser = ldap_bind($ldap_conn, $userDN, $userpass);

    if($ldapBindUser){
        echo ("<p style='color: green;'>User binding and authentication successful!!!</p>");        

        ldap_unbind($ldap_conn); // Clean up after ourselves.

    } else {
        echo ("<p style='color: red;'>There was a problem binding the user to LDAP :(</p>");   
    }     

} else {
    echo ("<p style='color: red;'>There was a problem binding the admin to LDAP :(</p>");   
} 
?>

This works for me. I spent many a days trying to figure this one out.

<?php

//We just need six varaiables here
$baseDN = 'CN=Users,DC=domain,DC=local';
$adminDN = "YourAdminDN";//this is the admin distinguishedName
$adminPswd = "YourAdminPass";
$username = 'Username';//this is the user samaccountname
$userpass = 'UserPass';
$ldap_conn = ldap_connect('ldaps://yourADdomain.local');//I'm using LDAPS here

if (! $ldap_conn) {
        echo ("<p style='color: red;'>Couldn't connect to LDAP service</p>");
    }
else {    
        echo ("<p style='color: green;'>Connection to LDAP service successful!</p>");
     }
//The first step is to bind the administrator so that we can search user info
$ldapBindAdmin = ldap_bind($ldap_conn, $adminDN, $adminPswd);

if ($ldapBindAdmin){
    echo ("<p style='color: green;'>Admin binding and authentication successful!!!</p>");

    $filter = '(sAMAccountName='.$username.')';
    $attributes = array("name", "telephonenumber", "mail", "samaccountname");
    $result = ldap_search($ldap_conn, $baseDN, $filter, $attributes);

    $entries = ldap_get_entries($ldap_conn, $result);  
    $userDN = $entries[0]["name"][0];  
    echo ('<p style="color:green;">I have the user DN: '.$userDN.'</p>');

    //Okay, we're in! But now we need bind the user now that we have the user's DN
    $ldapBindUser = ldap_bind($ldap_conn, $userDN, $userpass);

    if($ldapBindUser){
        echo ("<p style='color: green;'>User binding and authentication successful!!!</p>");        

        ldap_unbind($ldap_conn); // Clean up after ourselves.

    } else {
        echo ("<p style='color: red;'>There was a problem binding the user to LDAP :(</p>");   
    }     

} else {
    echo ("<p style='color: red;'>There was a problem binding the admin to LDAP :(</p>");   
} 
?>
回复 原文
聽兲甴掵 2024-12-25 18:16:43

实际上,答案是这取决于管理员如何配置 LDAP 服务器。您并不总是需要 DN 来向 LDAP 服务器进行身份验证。在我的特定情况下,即使使用 DN,我仍然无法对 LDAP 服务器进行身份验证。对于我尝试连接的 LDAP 服务器,它似乎是一个 Microsoft 域,因此我只能使用 DOMAIN\user015 对 DOMAIN 中的 user015 进行身份验证,其中 user015 是 SamAccountName,而 DOMAIN 是该用户的域。但我能够验证。

感谢您的所有帖子!即使他们不是正确的答案,但他们确实有很大帮助!

Actually, the answer is that it depends on how the LDAP server was configured by the admin. You don't always need a DN to authenticate to an LDAP server. In my particular case, even with the DN, I still couldn't authenticate to the LDAP server. For the LDAP server I was trying to connect, it appears it was a Microsoft Domain, and so I could only authenticate with DOMAIN\user015 for user015 in DOMAIN where user015 is a SamAccountName and DOMAIN is the domain for that user. But I was able to authenticate.

Thank you for all the posts! Even if they weren't the correct answer, they did help a lot!

回复 原文
脱离于你 2024-12-25 18:16:43

尝试 dn 上的 user@domain ...它对我有用!

Try user@domain on dn... It worked for me!

回复 原文
晨与橙与城 2024-12-25 18:16:43

您始终需要 DN 来向 LDAP 服务器进行身份验证。之后,您可以根据特定属性(例如 SamAccountName)执行过滤器,但您需要由 DN 标识的 LDAP 用户。

You always need a DN to authenticate to a LDAP server. After that, you can perform a filter based in a specific attribute, like SamAccountName, but you need an LDAP user identified by a DN.

回复 原文
很酷又爱笑 2024-12-25 18:16:43

AD 的 LDAP 接口要求您使用 DN 进行绑定。为了对用户进行身份验证,您必须首先找到该用户的 DN — 幸运的是,您可以通过搜索 LDAP 找到 DN。

如果您将 AD 配置为允许匿名查询(除非您确定自己是好吧,安全性有所降低),您可以执行此操作

ldap_bind($connect, "", "")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

,然后检索该用户的 DN 并继续使用该用户的 DN 和密码重新绑定。

如果您启用匿名绑定,则可以使用应用程序 ID 进行初始搜索,如下所示:

ldap_bind($connect, "DN=LDAP_App,OU=Users,DC=Domain,DC=com", "thePassword")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

然后,如上所述,检索该用户的 DN 并继续重新绑定。

The LDAP interface to AD requires that you bind using a DN. In order to authenticate a user, you must first find that user's DN — fortunately, you can find the DN by searching LDAP.

If you configure AD to allow anonymous queries (don't do this unless you are sure you're ok with the reduction in security), you can do

ldap_bind($connect, "", "")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

And then retrieve that user's DN and proceed to rebind with the user's DN and password.

If you do not enable anonymous bind, then you use an application ID to do the initial search, like so:

ldap_bind($connect, "DN=LDAP_App,OU=Users,DC=Domain,DC=com", "thePassword")
$sr = ldap_search($connect, $base_dn, "(sAMAccountName=$username)")

And then, just as above, retrieve that user's DN and proceed to rebind.

回复 原文
~没有更多了~

关于作者

白色秋天

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

燃烧我的卡路李先生

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

∞梦里开花

文章 0 评论 0

qq_IklFPL

文章 0 评论 0

迷途知返

文章 0 评论 0

深海不蓝

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文