PHP LDAP 无法搜索用户
PHP LDAP unable to search for user
我能够成功连接并绑定到 LDAP,我可以查询一个域级别的用户,但不能查询下一级的用户。
我可以查询的base dn:
$ldap_base_dn = 'DC=a_level,DC=company,DC=org';
我要查询的base dn:
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
我正在使用管理员帐户绑定到 LDAP。
<?php
/**
* Get a list of users from Active Directory.
*/
$ldap_password = 'PASSWORD';
$ldap_username = 'ADMIN';
$ldap_connection = ldap_connect('ldap://ldap.company.org/');
if (false === $ldap_connection) {
// Uh-oh, something is wrong...
print "CONNECT ERROR<br />";
}
// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
if (true === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {
print "ldap bind<br />";
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
$search_filter = '(&(objectCategory=person)(samaccountname=*))';
$attributes = array();
$attributes[] = 'givenname';
$attributes[] = 'mail';
$attributes[] = 'samaccountname';
$attributes[] = 'sn';
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter, $attributes);
if (false !== $result) {
print "ldap search<br />";
$entries = ldap_get_entries($ldap_connection, $result);
for ($x=0; $x<$entries['count']; $x++) {
if (!empty($entries[$x]['givenname'][0]) &&
!empty($entries[$x]['mail'][0]) &&
!empty($entries[$x]['samaccountname'][0]) &&
!empty($entries[$x]['sn'][0]) &&
'Shop' !== $entries[$x]['sn'][0] &&
'Account' !== $entries[$x]['sn'][0]) {
$ad_users[strtoupper(trim($entries[$x]['samaccountname'][0]))] = array('email' => strtolower(trim($entries[$x]['mail'][0])),'first_name' => trim($entries[$x]['givenname'][0]),'last_name' => trim($entries[$x]['sn'][0]));
}
}
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
}
$message .= "Retrieved ". count($ad_users) ." Active Directory users\n";
print $message;
echo '<pre>';
print_r($entries);
echo '</pre>';
使用程序 Apache Directory studio 我能够 运行 在 b_level 和搜索库 dn 中搜索用户,所以我不明白为什么 php 版本不起作用。
编辑:
更改显示错误输出。
<?php
/**
* Get a list of users from Active Directory.
*/
$ldap_password = 'PASSWORD';
$ldap_username = 'ADMIN';
$ldap_connection = ldap_connect('ldap://ldap.company.org/');
if (false === $ldap_connection) {
// Uh-oh, something is wrong...
print "CONNECT ERROR<br />";
}
print "Connect Success...<br />";
// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
if (true === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {
print "Bind Success...<br />";
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
$search_filter = '(&(objectCategory=person)(samaccountname=*))';
$attributes = array();
$attributes[] = 'givenname';
$attributes[] = 'mail';
$attributes[] = 'samaccountname';
$attributes[] = 'sn';
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter, $attributes);
print "ldap_search error: ".ldap_error($ldap_connection) . '<br />';
if (false !== $result) {
print "LDAP Search...<br />";
$entries = ldap_get_entries($ldap_connection, $result);
for ($x=0; $x<$entries['count']; $x++) {
if (!empty($entries[$x]['givenname'][0]) &&
!empty($entries[$x]['mail'][0]) &&
!empty($entries[$x]['samaccountname'][0]) &&
!empty($entries[$x]['sn'][0]) &&
'Shop' !== $entries[$x]['sn'][0] &&
'Account' !== $entries[$x]['sn'][0]) {
$ad_users[strtoupper(trim($entries[$x]['samaccountname'][0]))] = array('email' => strtolower(trim($entries[$x]['mail'][0])),'first_name' => trim($entries[$x]['givenname'][0]),'last_name' => trim($entries[$x]['sn'][0]));
}
}
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
}
$message .= "Retrieved ". count($ad_users) ." Active Directory users\n";
print $message;
echo '<pre>';
print_r($entries);
echo '</pre>';
输出为:
Connect Success...
Bind Success...
ldap_search error: Referral
LDAP Search...
Retrieved 0 Active Directory users
Array
(
[count] => 0
)
在我看来,base_dn (level_b) 并未存储在您请求的目录中,而是存储在配置为引用的另一个目录中。
您需要:
将行 ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); 更改为 ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, true);
配置一个重新绑定的回调函数来追踪推荐:查看http://php.net/manual/en/function.ldap-set-rebind-proc.php了解更多信息
我能够成功连接并绑定到 LDAP,我可以查询一个域级别的用户,但不能查询下一级的用户。
我可以查询的base dn:
$ldap_base_dn = 'DC=a_level,DC=company,DC=org';
我要查询的base dn:
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
我正在使用管理员帐户绑定到 LDAP。
<?php
/**
* Get a list of users from Active Directory.
*/
$ldap_password = 'PASSWORD';
$ldap_username = 'ADMIN';
$ldap_connection = ldap_connect('ldap://ldap.company.org/');
if (false === $ldap_connection) {
// Uh-oh, something is wrong...
print "CONNECT ERROR<br />";
}
// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
if (true === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {
print "ldap bind<br />";
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
$search_filter = '(&(objectCategory=person)(samaccountname=*))';
$attributes = array();
$attributes[] = 'givenname';
$attributes[] = 'mail';
$attributes[] = 'samaccountname';
$attributes[] = 'sn';
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter, $attributes);
if (false !== $result) {
print "ldap search<br />";
$entries = ldap_get_entries($ldap_connection, $result);
for ($x=0; $x<$entries['count']; $x++) {
if (!empty($entries[$x]['givenname'][0]) &&
!empty($entries[$x]['mail'][0]) &&
!empty($entries[$x]['samaccountname'][0]) &&
!empty($entries[$x]['sn'][0]) &&
'Shop' !== $entries[$x]['sn'][0] &&
'Account' !== $entries[$x]['sn'][0]) {
$ad_users[strtoupper(trim($entries[$x]['samaccountname'][0]))] = array('email' => strtolower(trim($entries[$x]['mail'][0])),'first_name' => trim($entries[$x]['givenname'][0]),'last_name' => trim($entries[$x]['sn'][0]));
}
}
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
}
$message .= "Retrieved ". count($ad_users) ." Active Directory users\n";
print $message;
echo '<pre>';
print_r($entries);
echo '</pre>';
使用程序 Apache Directory studio 我能够 运行 在 b_level 和搜索库 dn 中搜索用户,所以我不明白为什么 php 版本不起作用。
编辑:
更改显示错误输出。
<?php
/**
* Get a list of users from Active Directory.
*/
$ldap_password = 'PASSWORD';
$ldap_username = 'ADMIN';
$ldap_connection = ldap_connect('ldap://ldap.company.org/');
if (false === $ldap_connection) {
// Uh-oh, something is wrong...
print "CONNECT ERROR<br />";
}
print "Connect Success...<br />";
// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
if (true === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {
print "Bind Success...<br />";
$ldap_base_dn = 'DC=b_level,DC=a_level,DC=company,DC=org';
$search_filter = '(&(objectCategory=person)(samaccountname=*))';
$attributes = array();
$attributes[] = 'givenname';
$attributes[] = 'mail';
$attributes[] = 'samaccountname';
$attributes[] = 'sn';
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter, $attributes);
print "ldap_search error: ".ldap_error($ldap_connection) . '<br />';
if (false !== $result) {
print "LDAP Search...<br />";
$entries = ldap_get_entries($ldap_connection, $result);
for ($x=0; $x<$entries['count']; $x++) {
if (!empty($entries[$x]['givenname'][0]) &&
!empty($entries[$x]['mail'][0]) &&
!empty($entries[$x]['samaccountname'][0]) &&
!empty($entries[$x]['sn'][0]) &&
'Shop' !== $entries[$x]['sn'][0] &&
'Account' !== $entries[$x]['sn'][0]) {
$ad_users[strtoupper(trim($entries[$x]['samaccountname'][0]))] = array('email' => strtolower(trim($entries[$x]['mail'][0])),'first_name' => trim($entries[$x]['givenname'][0]),'last_name' => trim($entries[$x]['sn'][0]));
}
}
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
}
$message .= "Retrieved ". count($ad_users) ." Active Directory users\n";
print $message;
echo '<pre>';
print_r($entries);
echo '</pre>';
输出为:
Connect Success...
Bind Success...
ldap_search error: Referral
LDAP Search...
Retrieved 0 Active Directory users
Array
(
[count] => 0
)
在我看来,base_dn (level_b) 并未存储在您请求的目录中,而是存储在配置为引用的另一个目录中。
您需要:
将行
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);更改为ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, true);配置一个重新绑定的回调函数来追踪推荐:查看http://php.net/manual/en/function.ldap-set-rebind-proc.php了解更多信息