Question

我正在尝试使用PHP ldap_list（）函数列出我的Active Directory用户。我执行php代码时遇到以下错误。

LDAP bind successful... Warning: ldap_list(): Search: Bad search filter in /var/www/html/ldapn.php on line 29

以下是我的PHP代码：

<?php

// using ldap bind
$ldaprdn  = 'draven@myserver.com';     // ldap rdn or dn
$ldappass = 'draven678';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("dc.myserver.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

    $basedn = "dc=myserver, dc=com";
    $justthese = array("OU_Test");

    $sr = ldap_list($ldapconn, $basedn, "OU_Test=*", $justthese);

}

?>

注意：OU_Test是一个组织单位。我的要求是列出该组织单位中的所有用户。

我的代码出了什么问题？我怎样才能解决这个错误？

Answer 1

列出组织单位中的所有用户＆＃39; OU_TEST＆＃39;与ldap_list()：

使用适当的$ basedn。它应该是'OU_TEST＆＃39;的专有名称。因为您要列出 INSIDE OU_TEST的用户。你可以用ldap_search（）获得它。
使用适当的过滤器：仅列出用户，按用户过滤。

 // 1. Get OU_TEST's dn. Search down the tree using a top/root dn as $basedn :
 $basedn = "dc=myserver, dc=com";

 // Filters usually looks like ([attributeName]=[attributeValue])
 $filter = '(ou=OU_TEST)';

 $sr = ldap_search($ds, $basedn, $filter);

...说我们将生成的dn放在$OU_TEST_dn变量......

中

 // 2. List users. If users are missing, use 'objectClass=organizationalPerson'
 $filter = '(objectClass=Users)';

 // Use the correct basedn
 $basedn = $OU_TEST_dn;

 // This should work
 $sr = ldap_list($ldapconn, $basedn, $filter);

Answer 2

这里的过滤器应该是大括号：

这是如何：

$sr = ldap_list($ldapconn, $basedn, "(OU_Test=*)", $justthese);

这应该可以正常工作。

如果它不起作用

按照示例here

<?php
$ldapconfig['host'] = '10.10.10.10';
$ldapconfig['port'] = NULL;
$ldapconfig['basedn'] = 'dc=company,dc=com';

$ds=ldap_connect($ldapconfig['host'], $ldapconfig['port']);

$dn="uid=".$username.",ou=OU_TEST,".$ldapconfig['basedn'];

if ($bind=ldap_bind($ds, $dn, $password)) {
  echo("Login correct");
} else {

  echo("Unable to bind to server.</br>");

  echo("msg:'".ldap_error($ds)."'</br>"); //check if the message isn't: Can't contact LDAP server :)
  //if it say something about a cn or user then you are trying with the wrong $dn pattern i found this by looking at OpenLDAP source code :)
  //we can figure out the right pattern by searching the user tree
  //remember to turn on the anonymous search on the ldap server
  if ($bind=ldap_bind($ds)) {

    $filter = "(OU_TEST=*)";

    if (!($search=@ldap_search($ds, $ldapconfig['basedn'], $filter))) {
      echo("Unable to search ldap server<br>");
      echo("msg:'".ldap_error($ds)."'</br>"); //check the message again
    } else {
      $number_returned = ldap_count_entries($ds,$search);
      $info = ldap_get_entries($ds, $search);
      echo "The number of entries returned is ". $number_returned."<p>";
      for ($i=0; $i<$info["count"]; $i++) {

        var_dump($info[$i]); //look for your user account in this pile of junk and apply the whole pattern where you build $dn to match exactly the ldap tree entry
      }
    }
  } else {
    echo("Unable to bind anonymously<br>");
    echo("msg:".ldap_error($ds)."<br>");
  }
}
?>

如果不起作用，请告诉我。我们会试着弄明白！

PHP ldap_list（）糟糕的搜索过滤器

2 个答案:

如果它不起作用