我有一个登录页面,使用PHP / LDAP让我的用户访问公司网站。下面,我创建了一个语句,用于将用户的AD组成员资格存储在变量中,以便稍后用于重定向,具体取决于用户在AD中的成员资格。
现在,我现在还希望添加从Active Directory获取用户全名的功能,并将其存储以供日后使用。如何修改下面的语句,将用户的全名从Active Directory存储到另一个变量中?任何想法??
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
/* I would like to get and store the user's display name here somehow */
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
提前感谢您的任何帮助/建议!
修改
现在我的完整PHP页面有虚拟域名的东西,但我收到语法错误,我可以解决问题:(和帮助或想法?感谢Alex的初步帮助!
<?php
function authenticate($user, $password) {
// Active Directory server
$ldap_host = "my FQDC DC";
// Active Directory DN
$ldap_dn = "DC=something,DC=something";
// Active Directory user group
$ldap_user_group = "WebUsers";
// Active Directory manager group
$ldap_manager_group = "WebManagers";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@mycompany.com";
// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof","givenname");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
$givenname = $entries[0]['givenname'];
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
$_SESSION['givenname'] = $givenname;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
?>
答案 0 :(得分:2)
试试这个:
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof","givenname");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
$givenname = $entries[0]['givenname'][0];
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
$_SESSION['givenname'] = $givenname;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}
答案 1 :(得分:0)
希望这会有所帮助。当您从ldap读取时,您可以看到字段并将它们映射到某个会话变量。
$connect = @ldap_connect(LDAP_ADDRESS);
if (!$connect) return FALSE;
$bind = @ldap_bind($connect);
if (!$bind) return FALSE;
if ($resource = @ldap_search($connect,"dc=<yourdc>,dc=<yourdc>","uid=$user")) {
if (@ldap_count_entries($connect,$resource) == 1) {
if ($entry = @ldap_first_entry($connect,$resource)) {
if ($user_dn = @ldap_get_dn($connect,$entry)) {
if ($link = @ldap_bind($connect,$user_dn,$password)) {
$_SESSION['user'] = $user;
}
}
}
}
}
@ldap_close($connect);
答案 2 :(得分:0)
碰到一个旧线程。我需要获得名字和姓氏,并添加了“&#39; sn&#39;到属性并添加到会话变量中供以后在另一个脚本中引用,如下所示:
我如何访问其他脚本中的会话变量:
$givenname = $_SESSION['givenname'];
$surname = $_SESSION['sn'];
$name = "{$givenname} {$surname}";
更新到以前的身份验证脚本:
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
$filter = "(sAMAccountName=" . $user . ")";
$attr = array("memberof","givenname","sn");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
$givenname = $entries[0]['givenname'][0];
$surname = $entries[0]['sn'][0];
ldap_unbind($ldap);
// check groups
foreach($entries[0]['memberof'] as $grps) {
// is manager, break loop
if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
// is user
if (strpos($grps, $ldap_user_group)) $access = 1;
}
if ($access != 0) {
// establish session variables
$_SESSION['user'] = $user;
$_SESSION['access'] = $access;
$_SESSION['givenname'] = $givenname;
$_SESSION['sn'] = $surname;
return true;
} else {
// user has no rights
return false;
}
} else {
// invalid name or password
return false;
}