如下所示,当我对安全组进行LDAP搜索时,我没有收到任何用户信息。我想使用$_SERVER[remote_user]检查用户是否是该组的成员。我还想检索该用户的信息并用它更新sql数据库。这可能吗?
$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";
$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "username@mydomain.local", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);
print_r($entries);
返回:
Array
(
[count] => 1
[0] => Array
(
[objectclass] => Array
(
[count] => 2
[0] => top
[1] => group
)
[0] => objectclass
[cn] => Array
(
[count] => 1
[0] => Intra
)
[1] => cn
[description] => Array
(
[count] => 1
[0] => Group for (LDAP) INTRANET server access
)
[2] => description
[member] => Array
(
[count] => 4
[0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
[1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
[2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
[3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
)
[3] => member
[distinguishedname] => Array
(
[count] => 1
[0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
[4] => distinguishedname
[instancetype] => Array
(
[count] => 1
[0] => 4
)
[5] => instancetype
[whencreated] => Array
(
[count] => 1
[0] => 20100711172407.0Z
)
[6] => whencreated
[whenchanged] => Array
(
[count] => 1
[0] => 20100712063949.0Z
)
[7] => whenchanged
[usncreated] => Array
(
[count] => 1
[0] => 17491499
)
[8] => usncreated
[usnchanged] => Array
(
[count] => 1
[0] => 17498823
)
[9] => usnchanged
[name] => Array
(
[count] => 1
[0] => Intra
)
[10] => name
[objectguid] => Array
(
[count] => 1
[0] =>
)
[11] => objectguid
[objectsid] => Array
(
[count] => 1
[0] =>
)
[12] => objectsid
[samaccountname] => Array
(
[count] => 1
[0] => Intra
)
[13] => samaccountname
[samaccounttype] => Array
(
[count] => 1
[0] => 268435456
)
[14] => samaccounttype
[grouptype] => Array
(
[count] => 1
[0] => -2147483646
)
[15] => grouptype
[objectcategory] => Array
(
[count] => 1
[0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
)
[16] => objectcategory
[count] => 17
[dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
)
)
当我使用普通DN时,一切正常:
$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";
但AD专家告诉我这是一个很大的NO-NO,我应该使用安全组:\
答案 0 :(得分:3)
像这样查询AD:
$dn = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr = ldap_search($ad, $dn, $filter);
有关更复杂过滤器的信息,请查看MSDN article about the LDAP search filter syntax。
请务必注意该页面上的特殊字符部分。在使用过滤器字符串之前,正确的解决方案必须通过$group_DN通过转义机制!
始终尝试尽可能具体地构建过滤器。让LDAP服务器整理出你不想要的记录更有效率,而不是通过网络传输的记录多于你需要的记录,并将一半记录丢弃在客户端上。
答案 1 :(得分:0)
托默勒格
我认为问题在于并非安全组中的所有用户都来自同一个OU。
如果我改变
$dn = "DC=mydomain,DC=local";
到
$dn = "OU=Bergen,DC=mydomain,DC=local";
过滤器有效。但是我还有2个OU用户。