PHP LDAP获取用户属性,包括关联组

时间:2013-01-16 04:53:17

标签: php active-directory ldap

对当前用户运行搜索以检索所有属性(包括使用LDAP / PHP在Active Directory中的关联组)的最佳方法是什么?

对于属性,主要只是名字,姓氏和显示名称。

对于关联组,只是用户所属的组,例如memberOf函数。

我尝试了一些选项,但似乎无法获得正确的过滤器/搜索组合,大多数示例都涵盖了检索已知组的用户列表。

我在尝试成功绑定后尝试运行它:

$attributes = array("displayname");
$filter = "(&(sAMAccountName=$username))";
$result = ldap_search($ds, $ldapconfig['basedn'], $filter, $attributes);
$entries = ldap_get_entries($ds, $result);
if($entries["count"] > 0){
  echo "displayName: ".$entries[0]['displayname'][0]."<br/>";
 } else {
 echo("msg:'".ldap_error($ds)."'</br>");
 }

返回以下错误:“没有这样的对象”。

更新

这是我尝试过的最新块,当我打印$ info变量时能够得到结果,但是for子句仍然在某处错误。我将basedn更改为dc属性:

$filter="($SearchField=$SearchFor)";
$sr=ldap_search($ds, $basedn, $filter, $LDAPFieldsToFind);
$info = ldap_get_entries($ds, $sr);

if($info["count"] > 0) {
    for ($x=0; $x<$info["count"]; $x++) {
        $sam=$info[$x]['samaccountname'][0];
        $giv=$info[$x]['givenname'][0];
        $tel=$info[$x]['telephonenumber'][0];
        $email=$info[$x]['mail'][0];
        $nam=$info[$x]['cn'][0];
        $dir=$info[$x]['homedirectory'][0];
        $dir=strtolower($dir);
        $pos=strpos($dir,"home");
        $pos=$pos+5;
            if (stristr($sam, $SearchFor) && (strlen($dir) > 8)) {
              print "\nActive Directory says that:\n";
              print "CN is: ".$nam." \n";
              print "SAMAccountName is: ".$sam." \n";
              print "Given Name is: ".$giv." \n";
              print "Telephone is: ".$tel." \n";
              print "Home Directory is: ".$dir." \n";
            }   
    }
    }

结果的print_r是:

( [count] => 1 [0] => Array ( [cn] => Array ( [count] => 1 [0] => George ) [0] => cn [givenname] => Array ( [count] => 1 [0] => George ) [1] => givenname [memberof] => Array ( [count] => 4 [0] => CN=EQCStaff,CN=Users,DC=EQC,DC=local [1] => CN=RDS Users,OU=Security Groups,OU=Service,DC=EQC,DC=local [2] => CN=SFTP Client Folders,OU=Security Groups,OU=Service,DC=EQC,DC=local [3] => CN=EQC Staff,OU=Security Groups,OU=Service,DC=EQC,DC=local ) [2] => memberof [samaccountname] => Array ( [count] => 1 [0] => gortiz ) [3] => samaccountname [mail] => Array ( [count] => 1 [0] => user@domain.com ) [4] => mail [count] => 5 [dn] => CN=George,OU=Users,OU=Accounts,DC=EQC,DC=local ) )

1 个答案:

答案 0 :(得分:8)

这是我们用于转储AD信息的脚本,也许它会对您有所帮助:

<?php
$ldap_columns = NULL;
$ldap_connection = NULL;
$ldap_password = 'top_secret_password';
$ldap_username = 'top_secret_username@'.LDAP_DOMAIN;

//------------------------------------------------------------------------------
// Connect to the LDAP server.
//------------------------------------------------------------------------------
$ldap_connection = ldap_connect(LDAP_HOSTNAME);
if (FALSE === $ldap_connection){
    die("<p>Failed to connect to the LDAP server: ". LDAP_HOSTNAME ."</p>");
}

ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.

if (TRUE !== ldap_bind($ldap_connection, $ldap_username, $ldap_password)){
    die('<p>Failed to bind to LDAP server.</p>');
}

//------------------------------------------------------------------------------
// Get a list of all Active Directory users.
//------------------------------------------------------------------------------
$ldap_base_dn = 'DC=xyz,DC=local';
$search_filter = "(&(objectCategory=person))";
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter);
if (FALSE !== $result){
    $entries = ldap_get_entries($ldap_connection, $result);
    if ($entries['count'] > 0){
        $odd = 0;
        foreach ($entries[0] AS $key => $value){
            if (0 === $odd%2){
                $ldap_columns[] = $key;
            }
            $odd++;
        }
        echo '<table class="data">';
        echo '<tr>';
        $header_count = 0;
        foreach ($ldap_columns AS $col_name){
            if (0 === $header_count++){
                echo '<th class="ul">';
            }else if (count($ldap_columns) === $header_count){
                echo '<th class="ur">';
            }else{
                echo '<th class="u">';
            }
            echo $col_name .'</th>';
        }
        echo '</tr>';
        for ($i = 0; $i < $entries['count']; $i++){
            echo '<tr>';
            $td_count = 0;
            foreach ($ldap_columns AS $col_name){
                if (0 === $td_count++){
                    echo '<td class="l">';
                }else{
                    echo '<td>';
                }
                if (isset($entries[$i][$col_name])){
                    $output = NULL;
                    if ('lastlogon' === $col_name || 'lastlogontimestamp' === $col_name){
                        $output = date('D M d, Y @ H:i:s', ($entries[$i][$col_name][0] / 10000000) - 11676009600); // See note below
                    }else{
                        $output = $entries[$i][$col_name][0];
                    }
                    echo $output .'</td>';
                }
            }
            echo '</tr>';
        }
        echo '</table>';
    }
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
?>

用户inventor96建议使用11644473600而不是11676009600.我可以确认11644473600在Linux环境中是正确的 - 我的猜测是inventor96在Windows环境中。

相关问题
最新问题