PHP LDAP 获取用户属性,包括关联的组

2022-01-07 00:00:00 ldap active-directory php

对当前用户运行搜索以检索所有属性(包括使用 LDAP/PHP 的 Active Directory 中的关联组)的最佳方法是什么?

What is the best way to run a search on the current user to retrieve all attributes, including associated groups in Active Directory using LDAP / PHP?

对于属性,主要是名字、姓氏和显示名称.

For attributes, mainly just first name, last name, and display name.

对于关联组,仅用户所属的组,例如 memberOf 函数.

For associated groups, just the groups the user is a member of, such as the memberOf function.

我尝试了几个选项,但似乎无法获得正确的过滤器/搜索组合,而且大多数示例都包括检索已知群组的用户列表.

I've tried a few options, but can't seem to get the right filter / search combination and most examples cover retrieving lists of users where there's a known group.

我尝试在成功绑定后运行它:

I've tried running this after a successful bind:

$attributes = array("displayname");
$filter = "(&(sAMAccountName=$username))";
$result = ldap_search($ds, $ldapconfig['basedn'], $filter, $attributes);
$entries = ldap_get_entries($ds, $result);
if($entries["count"] > 0){
  echo "displayName: ".$entries[0]['displayname'][0]."<br/>";
 } else {
 echo("msg:'".ldap_error($ds)."'</br>");
 }

返回以下错误:没有这样的对象".

Which returns the following error: "No such object".

更新:

这是我尝试过的最新块,当我打印 $info 变量时能够得到结果,但是 for 子句仍然在某处出错.我将 basedn 更改为仅 dc 属性:

This is the latest block I've tried and am able to get results when I print_r the $info variable, however the for clause is still erring out somewhere. I changed the basedn to just the dc attributes:

$filter="($SearchField=$SearchFor)";
$sr=ldap_search($ds, $basedn, $filter, $LDAPFieldsToFind);
$info = ldap_get_entries($ds, $sr);

if($info["count"] > 0) {
    for ($x=0; $x<$info["count"]; $x++) {
        $sam=$info[$x]['samaccountname'][0];
        $giv=$info[$x]['givenname'][0];
        $tel=$info[$x]['telephonenumber'][0];
        $email=$info[$x]['mail'][0];
        $nam=$info[$x]['cn'][0];
        $dir=$info[$x]['homedirectory'][0];
        $dir=strtolower($dir);
        $pos=strpos($dir,"home");
        $pos=$pos+5;
            if (stristr($sam, $SearchFor) && (strlen($dir) > 8)) {
              print "
Active Directory says that:
";
              print "CN is: ".$nam." 
";
              print "SAMAccountName is: ".$sam." 
";
              print "Given Name is: ".$giv." 
";
              print "Telephone is: ".$tel." 
";
              print "Home Directory is: ".$dir." 
";
            }   
    }
    }

结果的print_r为:

The print_r of the results are:

( [count] => 1 [0] => Array ( [cn] => Array ( [count] => 1 [0] => George ) [0] => cn [givenname] => Array ( [count] => 1 [0] => George ) [1] => givenname [memberof] => Array ( [count] => 4 [0] => CN=EQCStaff,CN=Users,DC=EQC,DC=local [1] => CN=RDS Users,OU=Security Groups,OU=Service,DC=EQC,DC=local [2] => CN=SFTP Client Folders,OU=Security Groups,OU=Service,DC=EQC,DC=local [3] => CN=EQC Staff,OU=Security Groups,OU=Service,DC=EQC,DC=local ) [2] => memberof [samaccountname] => Array ( [count] => 1 [0] => gortiz ) [3] => samaccountname [mail] => Array ( [count] => 1 [0] => user@domain.com ) [4] => mail [count] => 5 [dn] => CN=George,OU=Users,OU=Accounts,DC=EQC,DC=local ) )

推荐答案

这是我们用来转储 AD 信息的脚本,也许对你有帮助:

Here's a script we have for dumping AD information, maybe it will help you:

<?php
$ldap_columns = NULL;
$ldap_connection = NULL;
$ldap_password = 'top_secret_password';
$ldap_username = 'top_secret_username@'.LDAP_DOMAIN;

//------------------------------------------------------------------------------
// Connect to the LDAP server.
//------------------------------------------------------------------------------
$ldap_connection = ldap_connect(LDAP_HOSTNAME);
if (FALSE === $ldap_connection){
    die("<p>Failed to connect to the LDAP server: ". LDAP_HOSTNAME ."</p>");
}

ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.

if (TRUE !== ldap_bind($ldap_connection, $ldap_username, $ldap_password)){
    die('<p>Failed to bind to LDAP server.</p>');
}

//------------------------------------------------------------------------------
// Get a list of all Active Directory users.
//------------------------------------------------------------------------------
$ldap_base_dn = 'DC=xyz,DC=local';
$search_filter = "(&(objectCategory=person))";
$result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter);
if (FALSE !== $result){
    $entries = ldap_get_entries($ldap_connection, $result);
    if ($entries['count'] > 0){
        $odd = 0;
        foreach ($entries[0] AS $key => $value){
            if (0 === $odd%2){
                $ldap_columns[] = $key;
            }
            $odd++;
        }
        echo '<table class="data">';
        echo '<tr>';
        $header_count = 0;
        foreach ($ldap_columns AS $col_name){
            if (0 === $header_count++){
                echo '<th class="ul">';
            }else if (count($ldap_columns) === $header_count){
                echo '<th class="ur">';
            }else{
                echo '<th class="u">';
            }
            echo $col_name .'</th>';
        }
        echo '</tr>';
        for ($i = 0; $i < $entries['count']; $i++){
            echo '<tr>';
            $td_count = 0;
            foreach ($ldap_columns AS $col_name){
                if (0 === $td_count++){
                    echo '<td class="l">';
                }else{
                    echo '<td>';
                }
                if (isset($entries[$i][$col_name])){
                    $output = NULL;
                    if ('lastlogon' === $col_name || 'lastlogontimestamp' === $col_name){
                        $output = date('D M d, Y @ H:i:s', ($entries[$i][$col_name][0] / 10000000) - 11676009600); // See note below
                    }else{
                        $output = $entries[$i][$col_name][0];
                    }
                    echo $output .'</td>';
                }
            }
            echo '</tr>';
        }
        echo '</table>';
    }
}
ldap_unbind($ldap_connection); // Clean up after ourselves.
?>

用户 inventor96 建议使用 11644473600 而不是 11676009600.我可以确认 11644473600 在 Linux 环境中是正确的 - 我的猜测是inventor96是在Windows环境下.

User inventor96 has suggested using 11644473600 instead of 11676009600. I can confirm 11644473600 is correct in a Linux environment - my guess is that inventor96 is in a Windows environment.

相关文章