|
|
 |
LIII. LDAP 関数
LDAP とは Lightweight Directory Access Protocol を意味し、
"ディレクトリサーバ" にアクセスするために使用されるプロトコルです。
ディレクトリとは、
ツリー構造に情報を保持している特殊なデータベースのことです。
この概念は、ハードディスクのディレクトリ構造に似ています。
ただし、その内容は異なっており、ルートディレクトリは "世界" であり、
最初のレベルのサブディレクトリは "国" となります。ディレクトリ構造
の下位には、会社や機関、場所のエントリがあります。さらに下位には、
人やおそらく道具や文書に関するディレクトリエントリもあります。
ハードディスクにあるサブディレクトリにあるファイルを参照するには、
次のようにします。
/usr/local/myapp/docs
スラッシュは、リファレンスの各部分を区分し、解釈は左から右に行われます。
LDAP においてこの完全に正しいファイル参照に等価なものは
"区分された名前(distinguished name)"であり、単に"dn"と表されます。
例として dn が次のようになっているとしましょう。
cn=John Smith,ou=Accounts,o=My Company,c=US
カンマは各部分を区分し、右から左に解釈されます。この dn は次のよう
に解釈されます。
country = US
organization = My Company
organizationalUnit = Accounts
commonName = John Smith
ハードディスクのディレクトリ構造を管理する手法について明確な規約が
ないのと同様に、ディレクトリサーバーマネージャーは、目的に適したあ
らゆる構造を設定することが可能です。しかし、実用的にはいくつかの慣
習があります。
利用可能なものに関する情報を持たずにデータベースを使用する
ことができないのと同様にディレクトリの構造に関する情報なくして
ディレクトリサーバーにアクセスするコードを書くことはできない
ということが言えます。
LDAPに関する多くの情報が以下の場所にあります。
Netscape SDKには、有用なHTML形式のがあります。
LDAP サポートを有効にして PHP をコンパイルするには、
ミシガン大学の , か のいずれかを入手し、コンパイルしておく必要があります。
PHPのLDAPサポートはデフォルトで有効になっていません。
LDAPサポートを有効にしてPHPをコンパイルするには、設定オプション
--with-ldap[=DIR]
を指定してPHPをコンパイルする必要があります。
Win32ユーザへの注意:
この拡張モジュールを有効にするには、PHP/Win32バイナリパッケージの
DLLフォルダからlibsasl.dllを使用するWindowsマ
シンのSYSTEM32フォルダ(例:C:\WINNT\SYSTEM32または
C:\WINDOWS\SYSTEM32)にコピーする必要があります。
これらの関数の動作は、php.iniの設定により変化します。
表 1. LDAP設定オプション | 名前 | デフォルト | 変更の可否 |
|---|
| ldap.max_links | "-1" | PHP_INI_SYSTEM |
PHP_INI_* 定数の詳細と定義については、
ini_set()を参照して下さい。
この拡張モジュールはリソース型を全く定義しません。
これらの定数は、この拡張モジュールで定義されており、
この拡張モジュールがPHP内部にコンパイルされているか実行時に動的にロー
ドされるかのどちらかの場合のみ使用可能です。
あるディレクトリサーバーから姓が "S" から始まる全てのエントリに
関する情報を検索し、名前と電子メールアドレスで検索結果を表示します。
例 1. LDAP検索の例 |
<?php
echo "<h3>LDAP query test</h3>";
echo "Connecting ...";
$ds=ldap_connect("localhost"); echo "connect result is " . $ds . "<br />";
if ($ds) {
echo "Binding ...";
$r=ldap_bind($ds); echo "Bind result is " . $r . "<br />";
echo "Searching for (sn=S*) ...";
$sr=ldap_search($ds, "o=My Company, c=US", "sn=S*");
echo "Search result is " . $sr . "<br />";
echo "Number of entires returned is " . ldap_count_entries($ds, $sr) . "<br />";
echo "Getting entries ...<p>";
$info = ldap_get_entries($ds, $sr);
echo "Data for " . $info["count"] . " items returned:<p>";
for ($i=0; $i<$info["count"]; $i++) {
echo "dn is: " . $info[$i]["dn"] . "<br />";
echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
}
echo "Closing connection";
ldap_close($ds);
} else {
echo "<h4>Unable to connect to LDAP server</h4>";
}
?>
|
|
LDAP コールを使用する前に、以下のことを知っておいてください。
使用するディレクトリサーバーの名前またはアドレス
サーバーの "base dn" (このサーバーがあるワールドディレクトリ
の部分で、"o=My Company,c=US" のようにすることができます)
サーバーへのアクセスにパスワードを必要とするかどうか。
(多くのサーバーは "匿名バインド" に関して読みこみを
許可するが、他の処理についてはパスワードを要求します)
アプリケーションとして作成する LDAP コールのシーケンスは、
通常、次のようなパターンに沿っています。
ldap_connect() // サーバーへの接続を確立
|
ldap_bind() // 匿名または認証された "ログイン"
|
ディレクトリの検索または更新等を行い、結果を表示する
|
ldap_close() // "ログアウト"
jpmens at gmail dot com
11-Mar-2005 10:04
Further to jabba at zeelandnet dot nl's note. If you are trying to connect to an LDAPS URI with OpenLDAP, you can either create the configuration file as described by jabba, or alternatively, use the environment settings to set LDAPTLS_REQCERT=never as described in ldap.conf(5).
scott at wiggumworld dot com
19-Jan-2005 12:08
You can find a PHP class that works well with Active Directory here:
Richie Bartlett(at)ITsystems-Online com
20-Dec-2004 08:44
This is an update to <i>wtfo at technocraft dot com</i> (23-May-2002 03:40)... This function allows additional (optional) parameters. The prev function listed, failed to close the ldap connection after successful authenication.
<?php
function checkNTuser($username,$password,$DomainName="myDomain",
$ldap_server="ldap://PDC.example.net"){$auth_user=$username."@".$DomainName;
if($connect=@ldap_connect($ldap_server)){
if($bind=@ldap_bind($connect, $auth_user, $password)){
@ldap_close($connect);
return(true);
}}@ldap_close($connect);
return(false);
}?>
xxoes at gmx dot de
08-Dec-2004 02:24
Yes you musst use LDAP with SSL!
$newPassword = "\"" . $new_password . "\"";
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++)
$newPassw .= "{$newPassword{$i}}\000";
$userdata["unicodepwd"] = $newPassw;
ldap_mod_replace($dn, $userdata);
My Windows php binary "PHP Version 4.3.9" dos not support LDAP with SSL, i have use stunnel to create a ssl connection.
jabba at zeelandnet dot nl
16-Nov-2004 07:51
When using PHP on windows, and you are trying to connect (bind) to a Netware (6) LDAP server that requires secure connections (LDAPS), PHP will return a message stating that the server cannot be found.
A network traffic capture of the traffic taking place on connection attempt reveals that the server supplies a certificate for use in the SSL connection, but this is rejected (***bad certificate SSLv3 packet) by the client.
The reason for this is probably that the PHP LDAP implementation tries to verify the received certificate with the CA that issued the certificate. There may be a way to make it possible that this verification succeeds, but it is also possible to disable this verification by the client (which is, in this case, PHP) by creating an openldap (surprise!!) configuration file.
The location of this configuration file seems to be hardcoded in the LDAP support module for windows, and you may need to manually create the following directory structure:
C:\openldap\sysconf\
In the sysconf folder, create a text file named 'ldap.conf' (you can use notepad for this) and, to disable certificate verification, place the following line in the ldap.conf file:
TLS_REQCERT never
After this, all the normal ldap_bind calls will work, provided your supplied user id and password are correct.
spam2004 at turniton dot dk
29-Oct-2004 12:36
Here are two small functions that enables you to convert a binary objectSID from Microsoft AD into a more usefull text version (formatted (S-1-5.....)).
// Converts a little-endian hex-number to one, that 'hexdec' can convert
function littleEndian($hex) {
for ($x=strlen($hex)-2; $x >= 0; $x=$x-2) {
$result .= substr($hex,$x,2);
}
return $result;
}
// Returns the textual SID
function binSIDtoText($binsid) {
$hex_sid=bin2hex($binsid);
$rev = hexdec(substr($hex_sid,0,2)); // Get revision-part of SID
$subcount = hexdec(substr($hex_sid,2,2)); // Get count of sub-auth entries
$auth = hexdec(substr($hex_sid,4,12)); // SECURITY_NT_AUTHORITY
$result = "$rev-$auth";
for ($x=0;$x < $subcount; $x++) {
$subauth[$x] = hexdec(littleEndian(substr($hex_sid,16+($x*8),8))); // get all SECURITY_NT_AUTHORITY
$result .= "-".$subauth[$x];
}
return $result;
}
echo binSIDtoText($bin_sid);
Jimmy Wimenta Oei
23-Sep-2004 07:32
If you want to disable/enable chase referral option, you need to first set the protocol version to version 3, otherwise the LDAP_OPT_REFERRALS option will not have any effect. This is especially true for querying MS Active Directory.
<?php
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
?>
And as always, these should be called after connect but before binding.
dmeehan at flcancer dot com
12-Aug-2004 08:26
If your having problems running LDAP searches on the base DC against Active Directory 2k3, you need to set dsHeuristics to 0000002 in Active Directory. This allows searches to function similar to how they did in Active Directory 2k2. You can update dsHeuristics by launching ldp.exe goto 'connection' and create a new connection. Then goto bind and bind to your ldap server. Next select the 'Browse' menu and choose 'modify'. The DN *might* look like this:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
Attribute is: dsHeuristics
Value is: 0000002
Set the operation to replace and you should be set.
This solves the 'Operations error' error that happens when attempting to search without specifying an OU.
-d
Sami Oksanen
17-May-2004 01:27
I edited Jon Caplinger's code which is located below (date: 09-Nov-2002 05:44).
- I corrected line
"if (!($connect=@ldap_connect($ldap))) {" with
"if (!($connect=@ldap_connect($ldap_server))) {"
- Removed $name-attribute
- "Name is:"-field was always an Array, so I changed printing line to:
" echo "Name is: ". $info[$i]["name"][0]."<br>";"
I also added some alternative search filters to try out.
Here is the code:
<?php
$ldap_server = "ldap://foo.bar.net";
$auth_user = "[email protected]";
$auth_pass = "mypassword";
$base_dn = "DC=bar, DC=net";
$filter = "(&(objectClass=user)(objectCategory=person)(cn=*))";
if (!($connect=@ldap_connect($ldap_server))) {
die("Could not connect to ldap server");
}
if (!($bind=@ldap_bind($connect, $auth_user, $auth_pass))) {
die("Unable to bind to server");
}
if (!($search=@ldap_search($connect, $base_dn, $filter))) {
die("Unable to search ldap server");
}
$number_returned = ldap_count_entries($connect,$search);
$info = ldap_get_entries($connect, $search);
echo "The number of entries returned is ". $number_returned."<p>";
for ($i=0; $i<$info["count"]; $i++) {
echo "Name is: ". $info[$i]["name"][0]."<br>";
echo "Display name is: ". $info[$i]["displayname"][0]."<br>";
echo "Email is: ". $info[$i]["mail"][0]."<br>";
echo "Telephone number is: ". $info[$i]["telephonenumber"][0]."<p>";
}
?>
ant at solace dot mh dot se
26-Feb-2004 04:23
When working with LDAP, its worth remembering that the majority
of LDAP servers encode their strings as UTF-8. What this means
for non ascii strings is that you will need to use the utf8_encode and
utf8_decode functions when creating filters for the LDAP server.
Of course, if you can its simpler to just avoid using non-ascii characters
but for most sites the users like to see their strange native character
sets including umlauts etc..
If you just get ? characters where you are expecting non-ascii, then
you might just need to upgrade your PHP version.
pookey at pookey dot co dot uk
07-Oct-2003 08:57
This is an example of how to query an LDAP server, and print all entries out.
<?php
$ldapServer = '127.0.0.1';
$ldapBase = 'DC=anlx,DC=net';
$ldapConn = ldap_connect($ldapServer);
if (!$ldapConn)
{
die('Cannot Connect to LDAP server');
}
$ldapBind = ldap_bind($ldapConn);
if (!$ldapBind)
{
die('Cannot Bind to LDAP server');
}
ldap_set_option($ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapSearch = ldap_search($ldapConn, $ldapBase, "(cn=*)");
$ldapResults = ldap_get_entries($ldapConn, $ldapSearch);
for ($item = 0; $item < $ldapResults['count']; $item++)
{
for ($attribute = 0; $attribute < $ldapResults[$item]['count']; $attribute++)
{
$data = $ldapResults[$item][$attribute];
echo $data.": ".$ldapResults[$item][$data][0]."<br>";
}
echo '<hr />';
}
?>
paul at datacom dot bg
15-Aug-2003 09:40
This note is for people trying to load extensions which require additional dlls on W2k/XP.
As stated in the installation notes one has to copy those libraries to %SystemRoot%\system32 directory.
Generally it's not a good idea to copy files from left to right and back especially for the system folder.
The result is always a mess. I hope you'll find my way to get things working for more elegant than just copying files.
Leave those dlls where they are in dlls folder under PHP's installation path. Then edit environment variables so that the system variable PATH to include the dlls' folder. You may need to reboot the system. That's all, nice and clean.
One who doesn't know what I'm talking about should go this way:
My Computer - > Control Panel -> System -> Advanced -> Environment Variables ... -> System variables.
mrowe at pointsystems dot com
06-Aug-2003 06:58
FWIW,
Before anyone else wastes a day scratching their head wondering why they can't search Active Directory...
I wasn't able to search on Active Directory until I did this (immediately after the ldap_connect):
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
I was able to ldap_bind if I didn't set this option, but I kept receiving errors. Also note, I had to set the option BEFORE binding.
hkemale at hkem dot com
17-Jul-2003 05:49
For IIS+PHP+NTFS file system user
After copied <php_dir>/dlls/*.dll to <windows>/systems32/ remember to add read and exexcute premission to "everyone" and the extensions *.dll. this can prevent warning of Access is denied of php_ldap.dll
greatsafari at hotmail dot com
27-May-2003 06:01
Having seen so many variations of methods for connecting and query the Active Directory server, it really makes me suspect that the whole thing is dependent of the Active Directory configurations. Looking at this post at:
Some methods proven to be working in one instance failed at another instance.
nliu99 at nospam dot yahoo dot com
29-Apr-2003 10:09
libsasl.dll is NOT required for ldap functionalities. Go check out the posting at:
On win2k I followed these easy steps and got ldap to work:
1. copy php_ldap.dll from the extension folder to winnt/system32
2. edit winnt/php.ini so that ldap is enabled (uncomment the line).
3. restart IIS.
That's it and have fun with ldap.
A note for Microsoft Active Directory
1. You can login with the user email, i.e. [email protected]
2. It's easiest to search for user info with ldap_search by filtering: (userprincipalname=[user])
egeczi at nospamplease dot dist113 dot org
01-Apr-2003 05:05
On Win2k Server running IIS, it is not enough to just restart IIS after enabling the php_ldap extension. You have to restart the server itself.
yorch at correo dot ath dot cx
03-Mar-2003 05:12
Some notes about running LDAP extension on a Win2k box:
After copying php_ldap.php and libsasl.dll in every single directory possible (c:\WinNT\System32, c:\php ...) I decided to read the installation.txt file.
The instructions to install php extensions say: "Some extra DLLs are required for some PHP extensions. Please copy the bundled dlls from the 'dlls/' directory in distribution package to your windows/system (Win9.x) or winnt/system32 (WinNT, Win2000, XP) directory. If you already have these DLLs installed on your system, overwrite them only if something is not working correctly."
So I did exactly that: copy ALL the dll files from "c:\php\dlls" to "c:\WinNT\System32".
Now they load beautifully ;-)
I hope this helps someone.
jon dot caplinger at broadwing dot com
09-Nov-2002 06:44
Here is an example of searching active directory in w2k. Active directory requires a user account that has permissions to search the tree.
/* The following values are used for the example:
1. Domain = microsoft.com
2. Server = unstable
3. User = bgates
4. Password = iloveopensource
*/
// Get name value to search for from submitted form.
if (isset($HTTP_GET_VARS["name"])) {
$name = $HTTP_GET_VARS["name"];
}
$ldap_server = "ldap://unstable.microsoft.com";
$auth_user = "[email protected]";
$auth_pass = "iloveopensource";
// Set the base dn to search the entire microsoft.com directory.
$base_dn = "DC=microsoft, DC=com";
/* filter the search for all people in the microsoft.com tree that have a name that matches any one of the following attributes name, displayname, or cn. */
$filter = "(&(objectClass=user)(objectCategory=person)
(|(name=$name*)(displayname=$name*)(cn=$name*)))";
// connect to server
if (!($connect=@ldap_connect($ldap))) {
die("Could not connect to ldap server");
}
// bind to server
if (!($bind=@ldap_bind($connect, $auth_user, $auth_pass))) {
die("Unable to bind to server");
}
// search active directory
if (!($search=@ldap_search($connect, $base_dn, $filter))) {
die("Unable to search ldap server");
}
$number_returned = ldap_count_entries($connect,$search);
$info = ldap_get_entries($connect, $search);
echo "The number of entries returned is ". $number_returned;
for ($i=0; $i<$info["count"]; $i++) {
echo "Name is: ". $info[$i]["name"];
echo "Display name is: ". $info[$i]["displayname"][0];
echo "Email is: ". $info[$i]["mail"][0];
echo "Telephone number is: ". $info[$i]["telephonenumber"][0];
}
gerbille at free dot fr
10-Oct-2002 01:26
The MD5 of PHP returns a result encoded in base16. But the LDAP MD5 returns a string encoded in base64.
$pwd="toto";
$pwd_md5=base64_encode(mhash(MHASH_MD5,$pwd));
Just add "{MD5}" front $pwd_md5 to obtain the same format as LDAP directory.
Bye
Aur�lia
mike at whisperedlies dot org
09-Sep-2002 04:41
In addition to the netBIOS suggestion above, when binding to a Windows2k AD server, you can use the UPN of the intended user. For instance, if your SAM account name is firstname.lastname and your domain is domainname.com, your UPN might be [email protected]
This can be used to bind to AD. I've not seen any difference in any of the methods.
rusko dot marton at gibzone dot hu
11-Jul-2002 12:06
You can authenticate to a Windows 2000 domain's ldap server easily by using the simplified netbios form of the username.
Somebody written:
When authenticating to a Win2k LDAP server, the name of the person must be
the FULL NAME in the dn
NO. You can use this form:
$user = "DOMAINNAME\\username"
$password = "Password_of_user";
if (!$connect = ldap_connect("<server>", <port>)) {
//error
exit;
}
if (!$res = @ldap_bind($ldap, $user, $password)) {
//error
exit;
}
It works fine with Active Directory, we use it.
knitterb at blandsite dot org
20-Jun-2002 03:48
When using PHP 4.2.1 with OpenLDAP 2.1.2 I was having problems with binding to the ldap server. I found that php was using an older protocol and added the following to the slapd.conf:
allow bind_v2
See ``man slapd.conf'' for more info about the allow item in the slapd.conf file, this is all I know! :)
wtfo at technocraft dot com
23-May-2002 10:40
This worked for me:
function checkNTUser ($username,$password) {
$ldapserver = 'Your Server';
$ds=ldap_connect($ldapserver);
if ($ds) {
$dn="cn=$username,cn=Users, DC=[sitename], DC=[sitesuffix]";
$r=@ldap_bind($ds,$dn,$password);
if ($r) { return true;
} else {
return false;
}
}
}
sukhruprai at yahoo dot com
05-May-2002 01:56
There is an article about how to compile openldap on windows. Openldap binaries are also available for download (for windows).
php ^ pixelcop , com
23-Apr-2002 08:33
For those trying to do LDAP authentication with Lotus Domino NAB, the following has worked for me (based on the win2k example by [email protected]) :
$ip = "localhost";
$dn="CN=Joe Blo, O=myOrganization";
$password = "password";
if (!($ldap = ldap_connect($ip))) {
die ("Could not connect to LDAP server");
}
print "connected to <b>$ip</b><br/>";
if (!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not bind to $dn");
}
print "user <b>$dn</b> authenticated.<br/>";
$sdn = "O=myOrganization";
$filter = "(objectclass=*)";
print "executing search...<b>DN: $sdn; Filter: $filter</b><br/>";
$sr=ldap_search($ldap, $sdn, $filter);
$info = ldap_get_entries($ldap, $sr);
print $info["count"]." entries returned<hr>";
print "<PRE>";
print_r($info);
print "</PRE>";
webmaster at autourdupc dot com
31-Dec-2001 12:36
When authenticating to a Win2k LDAP server, the name of the person must be the FULL NAME in the dn
NB : nothing is case sensitive !
$dn="cn=DUPOND John, cn=Users, dc=autourdupc, dc=com"
$password = "Password_of_DUPOND";
Then when you bind to the LDAP database you use:
if (!($ldap = ldap_connect("<server>", <port>))) {
die ("Could not connect to LDAP server");
}
if (!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not bind to $dn");
}
Hope this will usefull for everyone !
bounty_arz at hotmail dot com
26-Nov-2001 05:46
Hi,
There is a way to Access Active Directory :
- You will have to bind as admin :
eg: [email protected]
or as a user :
eg: [email protected]
(because you can't search the Subtree as anonymous).
Then you can query, add, delete and modify entries if you respect the syntax of the MS schema.
F.B
yapt at techNOSPAMnovell dot com
14-Oct-2001 11:37
I have found this new site with a lot of information about LDAP:
mleaver at scis dot ecu dot edu dot au
08-Mar-2001 09:32
When authenticating to a Win2k LDAP server you must include the name of the person authenticating to the server in the dn
i.e. cn=administrator, cn=users, dc=server, dc=domain, dc=country
Then when you bind to the LDAP database you use:
$res = ldap_bind($ldap, $dn, $password);
So a full example would be:
if (!($ldap = ldap_connect("<server>", <port>))) {
die ("Could not connect to LDAP server");
}
$dn = "cn=administrator, cn=users, dc=myserver, dc=com, dc=au";
$password = "MyPassword";
if (!($res = @ldap_bind($ldap, $dn, $password))) {
die ("Could not bind to $dn");
}
Then you do your list or search functions on the ldap database.
ron at opus1 dot com
24-Feb-2000 01:18
Note that when you are using loops to search through attributes, you must handle [dn] separately, otherwise each iteration of the loop will only return each character of the dn, left to right, and the array for dn of "cn=boo" would be:
dn [0]="c"
dn [1]="n"
dn [2]="="
dn [3]="b"
dn [4]="o"
dn [5]="o"
Not too much fun to debug. ;-)
| |
java_last_exception_get
