使用 PHP 从 Active Directory 获取用户的全名

Question

我有一个使用 PHP/LDAP 让我的用户访问公司网站的登录页面。下面，我创建了一个语句，将用户的 AD 组成员身份存储在一个变量中，稍后用于根据用户在 AD 中的成员身份进行重定向>

现在，我现在还想添加从 Active Directory 获取用户全名并将其存储以供以后使用的功能。如何修改下面的语句以将 Active Directory 中的用户全名存储到另一个变量中？有什么想法吗？？

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
  /* I would like to get and store the user's display name here somehow */
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;

提前感谢任何帮助/建议！

编辑

现在这是我的完整 PHP 页面，其中包含虚拟域的内容，但我遇到语法错误，我可以解决问题 :( 和帮助或想法？感谢 Alex 最初的帮助！

    <?php
function authenticate($user, $password) {
    // Active Directory server
    $ldap_host = "my FQDC DC";

    // Active Directory DN
    $ldap_dn = "DC=something,DC=something";

    // Active Directory user group
    $ldap_user_group = "WebUsers";

    // Active Directory manager group
    $ldap_manager_group = "WebManagers";

    // Domain, for purposes of constructing $user
    $ldap_usr_dom = "@mycompany.com";

// connect to active directory
$ldap = ldap_connect($ldap_host);
// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
// valid
// check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}

?>

Answer 1

试试这个：

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}

Answer 2

希望这会有所帮助。当您从 ldap 读取时，您可以看到字段并将它们映射到某个会话变量。

$connect = @ldap_connect(LDAP_ADDRESS);
    if (!$connect) return FALSE;

    $bind = @ldap_bind($connect);
    if (!$bind) return FALSE;

    if ($resource = @ldap_search($connect,"dc=<yourdc>,dc=<yourdc>","uid=$user")) {

        if (@ldap_count_entries($connect,$resource) == 1) {

            if ($entry = @ldap_first_entry($connect,$resource)) {

                if ($user_dn = @ldap_get_dn($connect,$entry)) {

                    if ($link = @ldap_bind($connect,$user_dn,$password)) {

                        $_SESSION['user'] = $user;

                    }
                }
            }
        }
    }

    @ldap_close($connect);

Answer 3

碰到一个旧线程。我需要获取给定的姓名和姓氏，并将“sn”添加到属性中并添加到会话变量中，以便以后在另一个脚本中引用，如下所示：

我如何访问其他脚本中的会话变量：

$givenname = $_SESSION['givenname'];
$surname = $_SESSION['sn'];
$name = "{$givenname} {$surname}";

更新到以前的身份验证脚本：

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname","sn");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    $surname = $entries[0]['sn'][0];
    ldap_unbind($ldap);

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        $_SESSION['sn'] = $surname;
        return true;
    } else {
        // user has no rights
        return false;
    }

} else {
    // invalid name or password
    return false;
}