我正在开发一个显示Active Directory员工信息的系统。部分内容允许用户更新自己的信息(标题,名字,姓氏,电子邮件,电话号码,职称,公司,部门)等。我有以下PHP代码(如果相关):
function updateActiveDirectory($user, $first, $last, $mail, $number, $title, $service, $team)
{
/* This function, similar to the above one, but this will update Active Directory. We need to make sure that, even if the fields are empty, they still contain some character */
if(empty($first)==TRUE)
{
$first = " ";
}
if(empty($last)==TRUE)
{
$last = " ";
}
if(empty($mail)==TRUE)
{
$mail = " ";
}
if(empty($number)==TRUE)
{
$number = " ";
}
if(empty($team)==TRUE)
{
$team = " ";
}
if(empty($service)==TRUE)
{
$service = " ";
}
if(empty($title)==TRUE)
{
$title = " ";
}
$server = "DC-1";
/* The path to the OU we are working in */
$unit = "OU=Staff,OU=Users,DC=example,DC=com";
$ds = ldap_connect($server);
if(!$ds)
{
return "Cannot connect to LDAP server";
}
$bind = ldap_bind($ds, "DOMAIN\dirplus", "P@55w0rd3=");
/* Bind to a given user */
if(!$bind)
{
return "Couldn't bind to LDAP server";
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
$sr = ldap_search($ds, $unit, "(sAMAccountName={$user})");
$ent= ldap_get_entries($ds, $sr);
$userdata = array();
//$userdata["cn"][0]=$first. " ".$last;
$userdata["sn"][0]=$last;
$userdata["mail"][0]=$mail;
$userdata["telephonenumber"][0]=$number;
$userdata["company"][0]=$service;
$userdata["department"][0]=$team;
$userdata["title"][0]=$title;
$name = $ent[0]["dn"];
$modify = ldap_modify($ds, $name, $userdata);
if($modify==TRUE)
{
return TRUE;
}
else
{
return FALSE;
}
}
我已经尝试过为帐户提供我能想到的每个分离的权限,甚至赋予它整个目录的权限,但是我得到的访问错误不足。这样就可以了,因为我已将它设置为管理员但我被告知由于某些合规类型原因我不能再这样做。
我不知道该怎么办,我在互联网上找不到任何合适的资源。