使用Zend \ Authentication \ Adapter \ Ldap(ZF2)验证针对Active Directory的凭据

时间:2013-04-26 08:08:01

标签: active-directory ldap zend-framework2 zend-auth

我想检查ZF2-Application中我们的活动目录的用户名/密码。我为此使用Zend \ Authentication \ Adapter \ Ldap,它部分工作。

这是我的代码:

use Zend\Authentication\AuthenticationService;
use Zend\Authentication\Adapter\Ldap as AuthAdapter;    

$username = 'johndoe';
$password = 'xxx';

$auth = new AuthenticationService();
$adapter = new AuthAdapter(
    array('server1'=>array(
        'host' => '192.168.0.3',
        'useStartTls' => false,
        'useSsl' => false,
        'accountDomainName' => 'domain.local',
        'accountDomainNameShort' => 'DOMAIN',
        'accountCanonicalForm' => 3,
        'accountFilterFormat' => '(&(objectClass=user)(sAMAccountName=%s))',
        'baseDn' => 'CN=Users,DC=domain,DC=local',
        'bindRequiresDn' => false,
        'optReferrals' => false
    )), 
    $username, 
    $password
);

$result = $auth->authenticate($adapter);

var_dump($result);

如果我设置了错误的密码,我会得到以下结果:

object(Zend\Authentication\Result)#279 (3) {
  ["code":protected]=>
  int(-3)
  ["identity":protected]=>
  string(3) "johndoe"
  ["messages":protected]=>
  array(4) {
    [0]=>
    string(19) "Invalid credentials"
    [1]=>
    string(124) "0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903AA, comment:     AcceptSecurityContext error, data 52e, v1772): DOMAIN\johndoe"
    [2]=>
    string(238) "host=192.168.0.3,useStartTls=,useSsl=,accountDomainName=domain.local,accountDomainNameShort=DOMAIN,accountCanonicalForm=3,accountFilterFormat=(&(objectClass=user)(sAMAccountName=%s)),baseDn=CN=Users,DC=domain,DC=local,bindRequiresDn=,optReferrals="
    [3]=>
    string(151) "johndoe authentication failed: 0x31 (Invalid credentials; 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 52e, v1772): DOMAIN\johndoe"
  }
}

使用正确的密码,结果会发生变化:

object(Zend\Authentication\Result)#279 (3) {
  ["code":protected]=>
  int(-1)
  ["identity":protected]=>
  string(3) "johndoe"
  ["messages":protected]=>
  array(4) {
    [0]=>
    string(22) "Account not found: johndoe"
    [1]=>
    string(68) "0x20: No object found for: (&(objectClass=user)(sAMAccountName=johndoe))"
    [2]=>
    string(238) "host=192.168.0.3,useStartTls=,useSsl=,accountDomainName=domain.local,accountDomainNameShort=DOMAIN,accountCanonicalForm=3,accountFilterFormat=(&(objectClass=user)(sAMAccountName=%s)),baseDn=CN=Users,DC=domain,DC=local,bindRequiresDn=,optReferrals="
    [3]=>
    string(95) "johndoe authentication failed: 0x20: No object found for: (&(objectClass=user)(sAMAccountName=johndoe))"
  }
}

为什么没有找到帐户?我的accountFilterFormat有问题吗?

sAMAccountName和objectClass似乎有效。我使用Sysinternals Active Directory浏览器检查了这个: Active Directory Browser Active Directory Browser Properties

使用此工具进行类似的搜索工作正常: Active Directory Browser Search

2 个答案:

答案 0 :(得分:1)

只是一个猜测,但可能是因为objectClass不是user而是top;person;...;user

答案 1 :(得分:1)

baseDn错了。您可以使用Active Diectory Explorer检查路径。我没跟上这个。相反,我使用了标准的baseDN:CN=Users,DC=domain,DC=local

我不知道,如果这是特定于SBS的,但这里正确的baseDN是:OU=SBSUsers,OU=DOMAIN,DC=domain,DC=local

相关问题
最新问题