{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 疯言疯语 的问题《LDAP DN search memberof》','https://www.manongdao.com/q-1071945.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Currently I'm trying to determine if a user should be able to login using LDAP. I've read up on many LDAP connections written in PHP and so far things were on track until I wanted to search if a user was part of a certain group.
Details I currently have to connecto to the LDAP server:
- DN: CN=PAY LDAP user,OU=pay,OU=Applications,OU=IT Specials,DC=domain,DC=be
- SAM: admin
- PWD: password
- Search DN ADM: OU=OU GROUP,OU=AD,DC=domain,DC=be
- LDAP / GC server: knt-adm-dc1.domain.be, knt-adm-dc2.domain.be
This code though doesn't return me any results:
if($bind = ldap_bind($ldap, $username, $password)) {
$filter = "(samaccountname=".$user.")";
$attr = array("memberof");
$result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldap, $result);
ldap_unbind($ldap);
}
When I leave out the $attr from the search I do get a result though I can't seem to find a way to determine of this user is part of the ADMIN group.
From what I could read online the memberof attribute should be used to find if a user is part of a group though.
A couple things:
memberOfattribute will not exist.memberOfattribute.A more failure-proof method is to use a somewhat obscure LDAP filter to search your group, and any nested groups, for a user: the LDAP_MATCHING_RULE_IN_CHAIN rule. Details here.
In PHP, it would look something like this (untested):
Where
$user_distinguished_nameis the distinguished name of the user, and$group_distinguished_nameis the DN of the group. You may have to get those beforehand.Note I'm put ldap_list instead of ldap_search. The only difference between the two is the scope of the search. I think ldap_search might still work, but it's not needed.