PHP LDAP 将 AD 与服务器的用户帐户绑定
我有一些使用 PHP 和 LDAP 连接到 AD 的代码:
I have some code that uses PHP and LDAP to connect to AD:
$host = 'ldap://stack.overflow.com';
$port = 389;
$username = 'stackOverflow';
$password = 'IaMP4ssWord';
$dn = 'CN=Users, DC=STACK, DC=OVERFLOW, DC=COM';
$cond = '(&(objectcategory=user)(displayname=*))';//All users that have a displayname
if($ldap = ldap_connect($host, $port))
{
if(ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
{
if(ldap_bind($ldap, $username, $password))
{
$attrs = array('displayname', 'mail');
if($rs = ldap_search($ldap, $dn, $cond, $attrs))
{
$results = ldap_get_entries($ldap, $rs);
echo "<pre>";print_r($result);echo "</pre>";//Print the results
}
}
else
{ echo 'Binding failed';}
}
else
{ echo 'Setting options failed';}
}
else
{ echo 'Connection failed'; }
现在这段代码工作得很好.它打印出在 AD 中具有显示名称的每个用户.问题是用户名/密码绑定,我使用我自己的用户凭据绑定到服务器.
Now this code works just fine. It print out every user that has a displayname in AD. Problem is for the username/password binding i am using my own user credential to bind to the server.
我想知道是否有办法使用服务器凭据进行绑定.
I would like to know if there is a way to bind using the servers credentials.
我在 Windows Server 2008 R2 上使用 PHP 5.3 + IIS 为带有 IIS 的服务器和带有 AD 的服务器设置.(两个不同的 VM).
I am setup using PHP 5.3 + IIS on windows server 2008 R2 for both the server with IIS and the one that has AD.(two different VM).
我也知道 IIS 有一个名为 IISStackOverflow 的 AD 帐户,但我不知道密码,或者即使它有密码...
I also know that IIS has a AD account named IISStackOverflow but I don't know the password or even if it has a password...
谢谢!
哦!我尝试将 $username
更改为 IISStackOverflow
并将 $password
更改为 ''
Oh! I tried changing $username
to IISStackOverflow
and $password
to ''
但它给出了无效的凭据错误.
But it gave invalid credential error.
--编辑--
我必须做绑定部分吗?(如果我只是读取数据)
Do I have to do the binding part at all? (If I am only reading data)
推荐答案
当你从服务器本身运行它,而你只是想阅读我会尝试使用 :
As you run it from server itself, and you just want to read I would try to use :
...
if(ldap_bind($ldap))
...
根据 PHP 文档,如果没有指定 bind_rdn 和 bind_password,尝试匿名绑定.
According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.
然后,如果您的匿名登录被拒绝(这不应该,因为在服务器上的 IIS 下运行您的代码至少是作为域用户执行的)您会在那里找到 如何启用匿名 LDAP 绑定到 Windows Server一>.这曾经在 W2K8 上工作过,从来没有在 W2K12 上测试过.
Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.
相关文章