PHP LDAP 将 AD 与服务器的用户帐户绑定

2022-01-07 00:00:00 ldap active-directory php iis

我有一些使用 PHP 和 LDAP 连接到 AD 的代码:

I have some code that uses PHP and LDAP to connect to AD:

$host = 'ldap://stack.overflow.com';
$port = 389;
$username = 'stackOverflow';
$password = 'IaMP4ssWord';
$dn = 'CN=Users, DC=STACK, DC=OVERFLOW, DC=COM';
$cond = '(&(objectcategory=user)(displayname=*))';//All users that have a displayname

if($ldap = ldap_connect($host, $port))
{
    if(ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3))
    {
        if(ldap_bind($ldap, $username, $password))
        {
            $attrs = array('displayname', 'mail');
            if($rs = ldap_search($ldap, $dn, $cond, $attrs))
            {
                $results = ldap_get_entries($ldap, $rs);
                echo "<pre>";print_r($result);echo "</pre>";//Print the results
            }
        }
        else
        { echo 'Binding failed';}
    }
    else
    { echo 'Setting options failed';}
}
else
{ echo 'Connection failed'; }

现在这段代码工作得很好.它打印出在 AD 中具有显示名称的每个用户.问题是用户名/密码绑定,我使用我自己的用户凭据绑定到服务器.

Now this code works just fine. It print out every user that has a displayname in AD. Problem is for the username/password binding i am using my own user credential to bind to the server.

我想知道是否有办法使用服务器凭据进行绑定.

I would like to know if there is a way to bind using the servers credentials.

我在 Windows Server 2008 R2 上使用 PHP 5.3 + IIS 为带有 IIS 的服务器和带有 AD 的服务器设置.(两个不同的 VM).

I am setup using PHP 5.3 + IIS on windows server 2008 R2 for both the server with IIS and the one that has AD.(two different VM).

我也知道 IIS 有一个名为 IISStackOverflow 的 AD 帐户,但我不知道密码,或者即使它有密码...

I also know that IIS has a AD account named IISStackOverflow but I don't know the password or even if it has a password...

谢谢!

哦!我尝试将 $username 更改为 IISStackOverflow 并将 $password 更改为 ''

Oh! I tried changing $username to IISStackOverflow and $password to ''

但它给出了无效的凭据错误.

But it gave invalid credential error.

--编辑--

我必须做绑定部分吗?(如果我只是读取数据)

Do I have to do the binding part at all? (If I am only reading data)

推荐答案

当你从服务器本身运行它,而你只是想阅读我会尝试使用 :

As you run it from server itself, and you just want to read I would try to use :

...
if(ldap_bind($ldap))
...

根据 PHP 文档,如果没有指定 bind_rdn 和 bind_password,尝试匿名绑定.

According to PHP documentation if bind_rdn and bind_password are not specified, an anonymous bind is attempted.

然后,如果您的匿名登录被拒绝(这不应该,因为在服务器上的 IIS 下运行您的代码至少是作为域用户执行的)您会在那里找到 如何启用匿名 LDAP 绑定到 Windows Server.这曾经在 W2K8 上工作过,从来没有在 W2K12 上测试过.

Then if your anonymous logon is refused (this should not be, because running under IIS on the server your code is at least executed as a domain user) you will find there how to enable anonymous LDAP binds to Windows Server. This used to work forme on W2K8, Inever test it on W2K12.

相关文章