用于区分名称的 ldap 过滤器

2022-01-17 00:00:00 ldap ldap-query php

我正在使用以下代码成功地在我们的 Active Directory 中查询用户:

I am successfully querying our Active Directory for a user with the following code:

$filter = (&(objectCategory=person)(samaccountname=someusername));
$fields = array("samaccountname","mail","manager","department","displayname","objectGUID");

$user = ldap_search($ldapconnection, $baseDn, $filter, $fields);

生成的数组为 manager 属性提供此值:

The resulting array gives this value for the manager attribute:

CN=McBossy, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com

对我来说,这看起来像是一个杰出的名字.但是当我尝试查询经理的记录时,

This looks like a distinguishedName to me. But when I try to query for the manager's record,

$filter = (&(objectCategory=person)(dn='CN=McBossy, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com'));

$manager = ldap_search($ldapconnection, $baseDn, $filter, $fields);

查询失败,PHP 警告:ldap_search(): Search: Bad search filter

我尝试了多种可能性,包括不同的引用、更多的括号、使用 distinguishedName 而不是 dn 等.

I've tried a number of possibilities including different quotation, more parentheses, using distinguishedName rather than dn, etc.

我做错了什么,获取经理记录的正确方法是什么?

What am I doing wrong and what is the right way to get the manager's record?

推荐答案

dn 不是属性.过滤器中只能使用属性类型、OID 和名称.

dn is not an attribute. Only attribute types, OIDs, and names can be used in filters.

当您获得 manager 属性时,要获得作为经理的 DN 的属性,请使用 manager 属性的值作为搜索中的基本对象要求.将搜索范围设置为 BASE,将过滤器设置为 (&)(objectClass=*) 并请求所需的属性.然后将搜索请求传输到服务器并解释响应.

When you get the manager attribute, to get the attributes for the DN that is the manager, use the value of the manager attribute as the base object in a search request. Set the scope of the search to BASE, the filter to either (&) or (objectClass=*) and request the attributes required. Then transmit the search request to the server and interpret the response.

相关文章