|
|
XLVIII. LDAP FunktionenEinf�hrung
LDAP steht f�r Lightweight Directory Access Protocol und ist
ein Protokoll um auf "Directory Servers" - Verzeichnis-
Server - zuzugreifen.
Das Verzeichnis ist dabei eine spezielle Art einer Datenbank,
das Informationen in einer Baumstruktur bereith�lt.
Das Konzept ist dabei �hnlich der Verzeichnisstruktur Ihrer
Festplatte, mit der Ausnahme, dass in diesem Zusammenhang
das Wurzelverzeichnis "Die Welt" ist und die
Unterverzeichnisse der ersten Ebene "L�nder" abbilden.
Die weiteren Verzeichnisse unterhalb der L�nderebene enthalten
Eintr�ge f�r Firmen, Organisationen oder St�dte. Noch tiefer
geschachtelt stehen Verzeichniseintr�ge f�r Personen und
vielleicht f�r Ausstattung oder Dokumente.
Um auf eine Datei in einem Unterverzeichnis auf Ihrer
Festplatte zu verweisen, k�nnten Sie eine Schreibweise wie
folgt verwenden
/usr/local/meine_daten/doku
Die Schr�gstriche markieren jeden Teil in diesem Verweis und
die Sequenz wird von links nach rechts gelesen.
Das entsprechende Gegenst�ck zu einer voll qualifizierten
Dateireferenz ist in LDAP der Eindeutige Name
("distinguished name"), der Einfachheit halber als "dn"
bezeichnet.
Ein Beispiel f�r einen solchen dn k�nnte sein
cn=Hans Mustermann,ou=Buchhaltung,o=Meine Firma,c=DE
Das Komma markiert jeden Teil in diesem Verweis und die
Sequenz wird von rechts nach links gelesen.
Diesen dn w�rden Sie wie folgt lesen:
Land = DE
Organisation (organisation) = Meine Firma
Organisationseinheit (organisationalUnit) = Buchhaltung
Einfacher Name (commonName) = Hans Mustermann
In der gleichen Weise, in der es keine allgemeinverbindlichen
Regeln gibt, wie Sie die Verzeichnisstruktur Ihrer Festplatte
organsieren, kann der Verwalter eines Verzeichnis-Servers jede
beliebige Struktur implementieren, die f�r den Einsatzzweck
sinnvoll ist.
Die Botschaft ist folgende: Sie k�nnen keinen Code schreiben
um auf einen Verzeichnis-Server zuzugreifen, ohne etwas �ber
dessen Struktur zu wissen. Genauso wenig k�nnen Sie eine
Datenbank nutzen ohne Kenntnis dar�ber, was in derselben
vorhanden ist.
Viele Informationen finden Sie unter
Das Netscape SDK enth�lt einen hilfreichen Programmer�s Guide im .html
Format.
Anforderungen
Sie m�ssen sich die LDAP Client Bibliotheken herunterladen und
�bersetzen. Sie k�nnen entweder das ldap-3.3 Packet von der
University of Michigan oder das Netscape Directory SDK 3.0
verwenden.
Installation
LDAP Unterst�tzung ist in PHP im Standard nicht aktiviert. Sie m�ssen
die Konfigurationsoption --with-ldap[=DIR]
beim �bersetzen von PHP angeben. DIR bezeichnet das Installationsverzeichnis
von LDAP.
Hinweis f�r Win32 Benutzer:
Um dieses Modul unter Windows nutzen zu k�nnen, m�ssen Sie
libsasl.dll aus dem DLL Ordner des PHP/Win32 Packets
in den SYSTEM32 Ordner Ihres Systems kopieren (z.B.: C:\WINNT\SYSTEM32 oder
C:\WINDOWS\SYSTEM32).
Laufzeit Konfiguration
Das Verhalten dieser Funktionen wird von Einstellungen
in der php.ini bestimmt.
Tabelle 1. LDAP Konfigurations-Optionen Name | Standard | Ver�nderbar |
---|
ldap.max_links | "-1" | PHP_INI_SYSTEM |
Weitere Details und die Definition der PHP_INI_* Konstanten sind unter
ini_set() zu finden.
Resource TypenDiese Erweiterung definiert keine Resource-Typen. Vordefinierte Konstanten
Folgende Konstanten werden von dieser Erweiterung definiert und
stehen nur zur Verf�gung, wenn die Erweiterung entweder statisch
in PHP kompiliert oder dynamisch zur Laufzeit geladen wurde.
Beispiele
Informationen von einem Verzeichnis-Server beziehen f�r alle
Eintr�ge bei denen der Nachname mit "S" beginnt. Darstellung
eines Auszugs mit Name und Email-Adresse.
Beispiel 1. LDAP Such-Beispiel <?php
// Grundlegende Abfolge bei LDAP ist verbinden, binden, suchen,
// interpretieren des Sucheergebnisses, Verbindung schlie�en
echo "<h3>LDAP query Test</h3>";
echo "Verbindung ...";
$ds=ldap_connect("localhost"); // muss ein g�ltiger LDAP Server
// sein!
echo "Ergebnis der Verbindung: ".$ds."<p>";
if ($ds) {
echo "Bindung ...";
$r=ldap_bind($ds); // das ist ein "anonymer" bind,
// typischerweise nur Lese Zugriff
echo "Ergebnis der Bindung ".$r."<p>";
echo "Suche nach (sn=S*) ...";
// Suchen des Nachnamen-Eintrags
$sr=ldap_search($ds,"o=Meine Firma, c=DE", "sn=S*");
echo "Ergebnis der Suche ".$sr."<p>";
echo "Anzahl gefundenen Eintr�ge ".ldap_count_entries($ds,$sr)."<p>";
echo "Eintr�ge holen ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Daten f�r ".$info["count"]." Items gefunden:<p>";
for ($i=0; $i<$info["count"]; $i++) {
echo "dn ist: ". $info[$i]["dn"] ."<br>";
echo "erster cn Eintrag: ". $info[$i]["cn"][0] ."<br>";
echo "erster email Eintrag: ". $info[$i]["mail"][0] ."<p>";
}
echo "Verbindung schlie�en";
ldap_close($ds);
} else {
echo "<h4>Verbindung zum LDAP Server nicht m�glich</h4>";
}
?> |
|
Verwenden der PHP LDAP Aufrufe
Bevor Sie die LDAP Aufrufe benutzen k�nnen, m�ssen Sie folgendes
wissen...
Den Namen oder die Adresse des Verzeichnis-Servers den Sie
benutzen wollen
Den "Basis dn" des Servers (den Teil des Weltverzeichnisses,
das auf diesem Server eingerichtet ist, das k�nnte "o=Meine
Firma,c=DE" sein.
Brauchen Sie ein Passwort um auf den Server zuzugreifen?
(Viele Server bieten Lesezugriff f�r einen "anonymen bind",
verlangen aber ein Passwort f�r alles weitere)
Die typische Abfolge von LDAP Aufrufen in einer Anwendung folgen
diesem Muster
ldap_connect() // Aufbau einer Verbindung zum Server
connection to server
|
ldap_bind() // anonymes oder authentifiziertes "login"
|
mache irgendwas, z.B. Verzeichnis durchsuchen oder aktualisieren
und stelle das Ergebnis dar
|
ldap_close() // "logout"
User Contributed Notes LDAP Funktionen |
|
ron at opus1 dot com
24-Feb-2000 12:18 |
|
Note that when you are using loops to search through attributes, you must
handle [dn] separately, otherwise each iteration of the loop will only
return each character of the dn, left to right, and the array for dn of
"cn=boo" would be:
dn [0]="c"
dn
[1]="n"
dn [2]="="
dn [3]="b"
dn
[4]="o"
dn [5]="o"
Not too much fun to debug.
;-)
|
|
mleaver at scis dot ecu dot edu dot au
08-Mar-2001 08:32 |
|
When authenticating to a Win2k LDAP server you must include the name of the
person authenticating to the server in the dn
i.e.
cn=administrator, cn=users, dc=server, dc=domain, dc=country
Then
when you bind to the LDAP database you use:
$res =
ldap_bind($ldap, $dn, $password);
So a full example would
be:
if (!($ldap = ldap_connect("<server>",
<port>))) {
die ("Could not connect to LDAP
server");
}
$dn = "cn=administrator, cn=users,
dc=myserver, dc=com, dc=au";
$password =
"MyPassword";
if (!($res = @ldap_bind($ldap, $dn,
$password))) {
die ("Could not bind to
$dn");
}
Then you do your list or search functions on
the ldap database.
|
|
ian at eiloart dot comNOSPAM
17-Jul-2001 06:34 |
|
Watch out. some of these functions return misleading errors if you are not
bound to the ldap server. For example, ldap_errno will tell you that it
has been passed an invalid link identifier.
|
|
yapt at techNOSPAMnovell dot com
14-Oct-2001 11:37 |
|
I have found this new site with a lot of information about LDAP:
|
|
bounty_arz at hotmail dot com
26-Nov-2001 04:46 |
|
Hi,
There is a way to Access Active Directory :
- You will
have to bind as admin :
eg: [email protected]
or as a
user :
eg: [email protected]
(because you can't search the
Subtree as anonymous).
Then you can query, add, delete and
modify entries if you respect the syntax of the MS
schema.
F.B
|
|
j dot parree at net-communications dot de
27-Nov-2001 01:01 |
|
Interoperability
Unix-PHP-LDAP based -> Active Directory
(LDAP-server)
Well, We tried to use a superuser account but where
are still not
allowed to query important data like encrypted user
passwords.
And that's because of the API Problem, as described
above.
Right now I am working on a solution to use kerberos
authentication
to query the user against active
directory.
For more Information about this try:
---------------------------------------
Solving
this interoperability problem is still a big issue to many
developers.
J.J. Parree
Net communications GmbH
Cologne,
Germany
|
|
webmaster at autourdupc dot com
31-Dec-2001 11:36 |
|
When authenticating to a Win2k LDAP server, the name of the person must be
the FULL NAME in the dn
NB : nothing is case sensitive
!
$dn="cn=DUPOND John, cn=Users, dc=autourdupc,
dc=com"
$password = "Password_of_DUPOND";
Then when you bind to the LDAP database you use:
if
(!($ldap = ldap_connect("<server>", <port>))) {
die ("Could not connect to LDAP server");
}
if
(!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not
bind to $dn");
}
Hope this will usefull for everyone !
|
|
bob dot brown at opus dot co dot nz
08-Jan-2002 10:53 |
|
We have just reorganised our LDAP database to suit some of the responses
that Microsoft Outlook expects to receive. As part of this I have
discovered that the names of the LDAP attributes returned have been
converted (by PHP I presume) to lower case. This means that even though
the ldap attribute is "telephoneNumber", you must use
$info[0]["telephonenumber"][0] as
$info[$i]["telephoneNumber"][0] is not set.
Hope this
helps someone :)
|
|
php ^ pixelcop , com
23-Apr-2002 08:33 |
|
For those trying to do LDAP authentication with Lotus Domino NAB, the
following has worked for me (based on the win2k example by
[email protected]) :
$ip =
"localhost"; $dn="CN=Joe Blo,
O=myOrganization"; $password = "password";
if
(!($ldap = ldap_connect($ip))) { die ("Could not connect to LDAP
server"); }
print "connected to
<b>$ip</b><br/>";
if (!($res =
@ldap_bind($ldap, $dn, $password))) { die ("Could not bind to
$dn"); }
print "user <b>$dn</b>
authenticated.<br/>";
$sdn =
"O=myOrganization"; $filter =
"(objectclass=*)";
print "executing
search...<b>DN: $sdn; Filter:
$filter</b><br/>"; $sr=ldap_search($ldap, $sdn,
$filter);
$info = ldap_get_entries($ldap, $sr);
print
$info["count"]." entries returned<hr>";
print "<PRE>"; print_r($info); print
"</PRE>";
|
|
sukhruprai at yahoo dot com
05-May-2002 01:56 |
|
There is an article about how to compile openldap on windows. Openldap
binaries are also available for download (for windows).
|
|
wtfo at technocraft dot com
23-May-2002 10:40 |
|
This worked for me:
function checkNTUser ($username,$password)
{ $ldapserver = 'Your Server'; $ds=ldap_connect($ldapserver);
if ($ds) { $dn="cn=$username,cn=Users, DC=[sitename],
DC=[sitesuffix]"; $r=@ldap_bind($ds,$dn,$password); if
($r) { return true; } else { return false; } } }
|
|
knitterb at blandsite dot org
20-Jun-2002 03:48 |
|
When using PHP 4.2.1 with OpenLDAP 2.1.2 I was having problems with binding
to the ldap server. I found that php was using an older protocol and
added the following to the slapd.conf:
allow bind_v2
See
``man slapd.conf'' for more info about the allow item in the slapd.conf
file, this is all I know! :)
|
|
JoshuaStarr at aelana dot com
03-Jul-2002 10:58 |
|
Behind the scenes, PHP is known to compile with the Netscape/iPlanet SDK
and those from OpenLDAP. We have successfully gotten the 32-bit Netscape
LDAP SDK for C v4.14 to compile into PHP on numerous platforms, most often
on Sun Solaris 2.6-2.8. We have never gotten the 64-bit 4.14 version to
work properly (at least on Solaris) nor have we gotten the 5.x versions to
work with PHP. Honestly, we didn't try hard with the 5.x versions because
we knew we could get v4.14 to work.
For our configuration, we
specify the exact installation path for the C SDK in the --with-ldap
option. I think the default goes to /usr/local/ldap if unspecified but I
never trust the defaults for MySQL or LDAP (no offense to
anyone).
This is some basic historical information for those of you
that may be struggling to get LDAP into you PHP compilations. I hope it
sheds some light!
|
|
rusko dot marton at gibzone dot hu
11-Jul-2002 12:06 |
|
You can authenticate to a Windows 2000 domain's ldap server easily by using
the simplified netbios form of the username.
Somebody
written: When authenticating to a Win2k LDAP server, the name of the
person must be the FULL NAME in the dn
NO. You can use this
form:
$user = "DOMAINNAME\\username" $password =
"Password_of_user";
if (!$connect =
ldap_connect("<server>", <port>)) {
//error exit; } if (!$res = @ldap_bind($ldap, $user,
$password)) { //error exit; }
It works fine with
Active Directory, we use it.
|
|
mike at whisperedlies dot org
09-Sep-2002 04:41 |
|
In addition to the netBIOS suggestion above, when binding to a Windows2k AD
server, you can use the UPN of the intended user. For instance, if your
SAM account name is firstname.lastname and your domain is domainname.com,
your UPN might be [email protected]
This can be
used to bind to AD. I've not seen any difference in any of the methods.
|
|
gerbille at free dot fr
10-Oct-2002 01:26 |
|
The MD5 of PHP returns a result encoded in base16. But the LDAP MD5 returns
a string encoded in base64.
$pwd="toto"; $pwd_md5=base64_encode(mhash(MHASH_MD5,$pwd)); Just
add "{MD5}" front $pwd_md5 to obtain the same format as LDAP
directory.
Bye Aur�lia
|
|
nospam-mark@atarexDOTcom
23-Oct-2002 07:06 |
|
Beware when linking to LDAP libraries: Solaris 8 comes with some by
default, and you may have installed Netscape LDAP C SDK as well, but
OpenLDAP defaults to use /usr/local
So know thy SDK - I have many
build problems because I had Solaris 8, Netscape 3.0, Iplanet 5.0
and OpenLDAP libraries on my system.
|
|
jon dot caplinger at broadwing dot com
09-Nov-2002 05:44 |
|
Here is an example of searching active directory in w2k. Active directory
requires a user account that has permissions to search the tree.
/*
The following values are used for the example: 1. Domain =
microsoft.com 2. Server = unstable 3. User = bgates 4.
Password = iloveopensource */
// Get name value to search for
from submitted form.
if (isset($HTTP_GET_VARS["name"]))
{ $name =
$HTTP_GET_VARS["name"]; }
$ldap_server =
"ldap://unstable.microsoft.com"; $auth_user =
"[email protected]"; $auth_pass =
"iloveopensource";
// Set the base dn to search the
entire microsoft.com directory.
$base_dn = "DC=microsoft,
DC=com";
/* filter the search for all people in the
microsoft.com tree that have a name that matches any one of the following
attributes name, displayname, or cn. */ $filter =
"(&(objectClass=user)(objectCategory=person) (|(name=$name*)(displayname=$name*)(cn=$name*)))";
//
connect to server
if (!($connect=@ldap_connect($ldap))) {
die("Could not connect to ldap server"); }
// bind to
server
if (!($bind=@ldap_bind($connect, $auth_user, $auth_pass)))
{ die("Unable to bind to server"); }
//
search active directory
if (!($search=@ldap_search($connect,
$base_dn, $filter))) { die("Unable to search ldap
server"); }
$number_returned =
ldap_count_entries($connect,$search); $info =
ldap_get_entries($connect, $search);
echo "The number of
entries returned is ". $number_returned;
for ($i=0;
$i<$info["count"]; $i++) { echo "Name is: ".
$info[$i]["name"]; echo "Display name is: ".
$info[$i]["displayname"][0]; echo "Email is: ".
$info[$i]["mail"][0]; echo "Telephone number is:
". $info[$i]["telephonenumber"][0]; }
|
|
bens at effortlessis dot com
14-Nov-2002 12:34 |
|
PHP 4.2.3 and --with-ldap compiles nicely on RH 7.2 using the provided
openldap rpms.
You do not need the Netscape SDK or the UofM
versions installed. (isn't openldap derived from UofM version?)
This documentation indicates these other libraries which are
un-necessary.
|
|
dave dot awatere at equant dot com
02-Dec-2002 10:50 |
|
When enabling ldap support for win32 binaries I ran into a few
difficulties. As previously mentioned here, the libsasl library is
required for php_ldap. Here are the two simple steps to getting this to
work.
1. After sucessfully installing php and testing, copy the
file libsasl.dll (google it for download sites, it's 40kb) to:
C:/your_php_path/dlls.
2. Edit your php.ini and un-comment the line
;extension=php_ldap.dll so that it reads
extension=php_ldap.dll
Thats it. Restart your webserver and test
with <?php phpinfo();?>.
Note: if you have been fiddling
with the location of libsasl.dll and you have an error "Unable to
load dynamic library..." then you will need to kill the hung apache
process (you can use taskinfo app for this) or restart you windows box
after restoring you php.ini to original (no ldap_support). I know this
sounds confusing but it is the reason why I just wasted an hour and a
half. I have tested this with all php versions from 4.1.2 up
incl 4.3rc2. Also have this running with apache2. We use it with the
xaraya.com cms to authenticate our intranet users. Hope this saves
some-one the hour and a half of pain it served me...
|
|
Christoph Grottolo
05-Jan-2003 11:40 |
|
libsasl.dll which is needed for php_ldap.dll to run on windows but not
included in the actual release (4.3.0) is available as part of the open
ldap binaries on .
Christoph
|
|
ldivinag at csuhayward dot edu
17-Jan-2003 12:31 |
|
well it's a no go for me.
using:
4.3.0 apache
1.3.27 win98 SE
i got a copy of LIBSASL.DLL from a 4.0.4xxx of
php
and i copied it
everywhere:
c:\windows c:\windows\system c:\windows\system32 c:\apache\apache
<- where apache.exe
sits c:\php c:\php\dlls c:\php\extensions
and i still got
the UNABLE TO LOAD...
should i go to apache2?
the version of
LIBSASL is 40 k, but dated a year or so ago. is there a specific version
of it?
thanks...
leo d.
|
|
vdweij at mailsurf dot com
22-Jan-2003 04:25 |
|
I've had ldap up and running with php4.1.2 (win2000) and got problems
upgrading to php4.3.0
I got an error saying could not load
php_ldap.dll The manual tells you to copy libsasl.dll into your
winnt(/system32) folder, but that was already there????
Using the
good old command prompt (move to php dir) and typing php.exe -? I got
messages saying php needed other dll's,
namely: ssleay32.dll libeay32.dll
Copying these dll's to the
winnt(/system32) dir worked for me.
--May The Source Be With You--
|
|
Jaap Weel
05-Feb-2003 10:04 |
|
In some cases, when you're working on a system where PHP is pre-installed
and you need to ask some mysterious and/or distant sysadmin to recompile
it, you may want to forget about the LDAP functions and use the shell
commands that seem to exist whenever the LDAP package is
installed.
For example, I want to look up someone's e-mail address
("mail") in the Institute LDAP address book database and fetch
from it their surname ("sn"). I use the backtick operator, which
executes a shell command and returns its output to PHP:
$sn =
`ldapsearch -h ldap-server.its.caltech.edu "(mail=$email)" sn |
grep "sn:"`; $sn =
trim(str_replace("sn:","",$sn));
This probably
isn't a good idea if you want complicated things, but for an occasional
simple use it's a nice hack, I thought.
|
|
yorch at correo dot ath dot cx
03-Mar-2003 04:12 |
|
Some notes about running LDAP extension on a Win2k box:
After
copying php_ldap.php and libsasl.dll in every single directory possible
(c:\WinNT\System32, c:\php ...) I decided to read the installation.txt
file. The instructions to install php extensions say: "Some extra
DLLs are required for some PHP extensions. Please copy the bundled dlls
from the 'dlls/' directory in distribution package to your windows/system
(Win9.x) or winnt/system32 (WinNT, Win2000, XP) directory. If you already
have these DLLs installed on your system, overwrite them only if something
is not working correctly."
So I did exactly that: copy ALL the
dll files from "c:\php\dlls" to
"c:\WinNT\System32". Now they load beautifully ;-)
I
hope this helps someone.
|
|
vattalai dot anil at st dot com
22-Mar-2003 02:50 |
|
Copying all dll files to WINNT/system32 directory?
I felt it is a
crazy idea to do this just for ldap, but after fidiling with php_ldap for
some time, I gave a try for it. And surprisingly it works!!! Thanks guys!
|
|
egeczi at nospamplease dot dist113 dot org
01-Apr-2003 05:05 |
|
On Win2k Server running IIS, it is not enough to just restart IIS after
enabling the php_ldap extension. You have to restart the server itself.
|
|
nliu99 at nospam dot yahoo dot com
29-Apr-2003 10:09 |
|
libsasl.dll is NOT required for ldap functionalities. Go check out the
posting at:
On win2k I followed these easy steps and got ldap to work: 1.
copy php_ldap.dll from the extension folder to winnt/system32 2. edit
winnt/php.ini so that ldap is enabled (uncomment the line). 3. restart
IIS. That's it and have fun with ldap.
A note for Microsoft
Active Directory 1. You can login with the user email, i.e.
[email protected] 2. It's easiest to search for user info with
ldap_search by filtering: (userprincipalname=[user])
|
|
|
| |