递归显示用户所属的所有 Active Directory 组
Display all Active Directory groups that a user is a member of recursively
我有以下脚本检查 AD 访问权限,然后还在特定组内检查成员资格。
如何显示用户有权访问的每个组,包括非直接组 - 例如 - 用户 - userA,在组 - groupA,以及 groupB 中的 groupA,我希望它显示 groupB以及 groupA
我错过了什么?
<?php
//ini_set('display_errors', 1);
session_start();
//ini_set('display_startup_errors', 1);
//error_reporting(E_ALL);
// require_once('assets/config.php');
$ldap_server = "ldap*************************";
if(isset($_SESSION['itssd_user'])) {
$submittedusername = $_SESSION['itssd_user'];
}
if(isset($_SESSION['itssd_pw'])) {
$submittedpassword = $_SESSION['itssd_pw'];
}
//$ro_access_group='CN=****,OU=Service Desk,OU=Customer Services,OU=ITS,OU=Groups,DC=registry,DC=otago,DC=ac,DC=nz';
$ro_access_group='DC=registry,DC=otago,DC=ac,DC=nz';
// Connect to the LDAP server
$ldap = ldap_connect($ldap_server);
function inGroup($ldapConnection, $userDN, $groupToFind) {
$filter = "(memberof:1.2.840.113556.1.4.1941:=".$groupToFind.")";
$search = ldap_search($ldapConnection, $userDN, $filter, array("dn"), 1);
$items = ldap_get_entries($ldapConnection, $search);
echo "<pre>";
echo var_dump($items)."<br>";
echo "</pre>";
if(!isset($items["count"])) {
return false;
}
return (bool)$items["count"];
}
if ($ldap) {
// Connect to the database for querying.
// $dbConn = connectDB();
//$dn = "cn=" . $submittedusername . ",ou=Users,ou=Otago,dc=registry,dc=otago,dc=ac,dc=nz";
$dn = "registry\".$submittedusername;
$basedn = "dc=registry,dc=otago,dc=ac,dc=nz";
if (($submittedpassword == "") OR ($submittedpassword == NULL)) {
$loginResult = 'INVALIDUSER';
} else {
// Now attempt to bind
if (ldap_bind($ldap, $dn, $submittedpassword)) {
$search_user=ldap_search($ldap, $basedn, "(sAMAccountName=".$submittedusername.")");
if($search_user){
echo 'Authenticated';
}
$user_details=ldap_get_entries($ldap, $search_user);
//$ro_name=$user_details[0]["displayname"][0];
if(!$user_details){
$loginResult = "INVALIDUSER";
echo 'null user details<br>'.sizeof($user_details);
}
else{
//echo "<pre>";
//echo var_dump($user_details[0])."<br>";
//echo "</pre>";
if(isset($user_details[0]["memberof"][0])) {
$groupCount = $user_details[0]["memberof"]["count"] - 1;
for ($i = 0; $i <= $groupCount; $i++) {
echo $user_details[0]["memberof"][$i];
echo "<br>";
}
}
$_SESSION['itssd_email_messages_count'] = 0;
$_SESSION['itssd_notifications_count'] = 0;
$_SESSION['itssd_username'] = $submittedusername;
$_SESSION['itssd_date_view'] = date('Y-m-d', time());
$_SESSION['itssd_prod'] = FALSE;
if (inGroup($ldap, $user_details[0]["dn"], $ro_access_group)) {
$loginResult = "Authorised";
} else {
//echo "<br/><br/><br/>".$submittedusername." not in group ".$ro_access_group;
//echo "<br/>".$user_details[0]["memberof"];
//echo var_dump($user_details[0]["memberof"]);
//echo "<br/><br/>";
echo inGroup($ldap, $user_details[0]["dn"], $ro_access_group);
$loginResult = "INVALIDUSER";
}
}
} else {
$loginResult = 'INVALIDUSER';
}
$submittedpassword = NULL;
}
echo $loginResult;
}
?>
在您的 inGroup 方法中,请将其用于过滤器:
$filter = "(&(distinguishedName=$groupToFind)(member:1.2.840.113556.1.4.1941:=$userDN))";
将 select 组首先按 DN 检查它是否包含递归的成员。
编辑
如果要搜索 return 用户所属的所有群组,请使用此过滤器:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";
赞:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";
$search = ldap_search($ldapConnection, 'DC=registry,DC=otago,DC=ac,DC=nz', $filter, array("cn"));
$allGroups = ldap_get_entries($ldapConnection, $search);
上面的 $allGroups 将包含用户直接或间接属于的每个组(例如属于不同组的组等)。但是,DC=registry,DC=otago,DC=ac,DC=nz 真的是您域的 "base" 级别吗?那应该是 ldap_search 的第二个参数。
我有以下脚本检查 AD 访问权限,然后还在特定组内检查成员资格。
如何显示用户有权访问的每个组,包括非直接组 - 例如 - 用户 - userA,在组 - groupA,以及 groupB 中的 groupA,我希望它显示 groupB以及 groupA
我错过了什么?
<?php
//ini_set('display_errors', 1);
session_start();
//ini_set('display_startup_errors', 1);
//error_reporting(E_ALL);
// require_once('assets/config.php');
$ldap_server = "ldap*************************";
if(isset($_SESSION['itssd_user'])) {
$submittedusername = $_SESSION['itssd_user'];
}
if(isset($_SESSION['itssd_pw'])) {
$submittedpassword = $_SESSION['itssd_pw'];
}
//$ro_access_group='CN=****,OU=Service Desk,OU=Customer Services,OU=ITS,OU=Groups,DC=registry,DC=otago,DC=ac,DC=nz';
$ro_access_group='DC=registry,DC=otago,DC=ac,DC=nz';
// Connect to the LDAP server
$ldap = ldap_connect($ldap_server);
function inGroup($ldapConnection, $userDN, $groupToFind) {
$filter = "(memberof:1.2.840.113556.1.4.1941:=".$groupToFind.")";
$search = ldap_search($ldapConnection, $userDN, $filter, array("dn"), 1);
$items = ldap_get_entries($ldapConnection, $search);
echo "<pre>";
echo var_dump($items)."<br>";
echo "</pre>";
if(!isset($items["count"])) {
return false;
}
return (bool)$items["count"];
}
if ($ldap) {
// Connect to the database for querying.
// $dbConn = connectDB();
//$dn = "cn=" . $submittedusername . ",ou=Users,ou=Otago,dc=registry,dc=otago,dc=ac,dc=nz";
$dn = "registry\".$submittedusername;
$basedn = "dc=registry,dc=otago,dc=ac,dc=nz";
if (($submittedpassword == "") OR ($submittedpassword == NULL)) {
$loginResult = 'INVALIDUSER';
} else {
// Now attempt to bind
if (ldap_bind($ldap, $dn, $submittedpassword)) {
$search_user=ldap_search($ldap, $basedn, "(sAMAccountName=".$submittedusername.")");
if($search_user){
echo 'Authenticated';
}
$user_details=ldap_get_entries($ldap, $search_user);
//$ro_name=$user_details[0]["displayname"][0];
if(!$user_details){
$loginResult = "INVALIDUSER";
echo 'null user details<br>'.sizeof($user_details);
}
else{
//echo "<pre>";
//echo var_dump($user_details[0])."<br>";
//echo "</pre>";
if(isset($user_details[0]["memberof"][0])) {
$groupCount = $user_details[0]["memberof"]["count"] - 1;
for ($i = 0; $i <= $groupCount; $i++) {
echo $user_details[0]["memberof"][$i];
echo "<br>";
}
}
$_SESSION['itssd_email_messages_count'] = 0;
$_SESSION['itssd_notifications_count'] = 0;
$_SESSION['itssd_username'] = $submittedusername;
$_SESSION['itssd_date_view'] = date('Y-m-d', time());
$_SESSION['itssd_prod'] = FALSE;
if (inGroup($ldap, $user_details[0]["dn"], $ro_access_group)) {
$loginResult = "Authorised";
} else {
//echo "<br/><br/><br/>".$submittedusername." not in group ".$ro_access_group;
//echo "<br/>".$user_details[0]["memberof"];
//echo var_dump($user_details[0]["memberof"]);
//echo "<br/><br/>";
echo inGroup($ldap, $user_details[0]["dn"], $ro_access_group);
$loginResult = "INVALIDUSER";
}
}
} else {
$loginResult = 'INVALIDUSER';
}
$submittedpassword = NULL;
}
echo $loginResult;
}
?>
在您的 inGroup 方法中,请将其用于过滤器:
$filter = "(&(distinguishedName=$groupToFind)(member:1.2.840.113556.1.4.1941:=$userDN))";
将 select 组首先按 DN 检查它是否包含递归的成员。
编辑
如果要搜索 return 用户所属的所有群组,请使用此过滤器:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";
赞:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=$userDN))";
$search = ldap_search($ldapConnection, 'DC=registry,DC=otago,DC=ac,DC=nz', $filter, array("cn"));
$allGroups = ldap_get_entries($ldapConnection, $search);
上面的 $allGroups 将包含用户直接或间接属于的每个组(例如属于不同组的组等)。但是,DC=registry,DC=otago,DC=ac,DC=nz 真的是您域的 "base" 级别吗?那应该是 ldap_search 的第二个参数。