2013-12-03 14:26
浏览 157

PHP ldap_ * API:限制基本范围?

So The Direct Project strikes again. I'm no expert in LDAP, but I'm trying to set up a test environment since the standard requires any package to support getting certificates from LDAP as well as DNS CERT, regardless of which method is implemented by the package.

According to the documentation, the prescribed sequence of events (trimmed for relevance) from section "3.3.3 LDAP query":

* Discover the Base DNs
     Branches in LDAP must be defined by a “Base DN”. The list of Base DNs that are
     provided by a LDAP directory are found by doing a LDAP Query with a NULL (i.e.
     “”) Base DN, and ObjectClass=”DN”.
* Query across the Base DN for entries where "Mail" contains the endpoint address

I'm trying to implement this process in php, using the ldap_* functions, but their way doesn't seem to work. Obviously, NULL is not the same as an empty string (the latter makes any call to ldap_search return a "No such object" error), and "DN" isn't a valid value for an ObjectClass attribute.

So, TL;DR, is there another way an anonymous remote user retrieve the (list of?) base DNs that I'm missing?

UPDATE: Reworded the title to reflect the root cause of my problem: Reading the rootDSE from PHP when the ldap_* api doesn't allow you to specify 'base' scope.

图片转代码服务由CSDN问答提供 功能建议

所以直接项目再次袭来。 我不是LDAP方面的专家,但我正在尝试建立一个测试环境,因为标准要求任何软件包都支持从LDAP和DNS CERT获取证书,无论软件包实现哪种方法。

根据文档 ,“3.3.3 LDAP查询”部分中规定的事件序列(为相关性修剪):

 LDAP中的分支必须由a定义 “基本DN”。 通过使用NULL(即
“”)基本DN和ObjectClass =“DN”执行LDAP查询,可以找到LDAP目录提供的基本DN列表。
 *跨基本DN查询 “Mail”包含端点地址的条目

我正在尝试使用ldap_ *函数在php中实现此过程,但它们的方式似乎不一样 上班。 显然,NULL与空字符串不同(后者使得对ldap_search的任何调用都返回“No such object”错误),并且“DN”不是ObjectClass属性的有效值。

那么,TL; DR,是否有另一种方式匿名远程用户检索我缺少的(?列表?)基本DN?

更新:重新标记标题以反映我的问题的根本原因:当ldap_ * api不允许您指定“基础”范围时,从PHP读取rootDSE。

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • dongliuliu0385 2013-12-03 18:51

    So another read through the docs answered my question for me.

    Apparently, the only difference between ldap_search(), ldap_list(), and ldap_read() are the scopes (LDAP_SCOPE_SUBTREE (sub), LDAP_SCOPE_ONELEVEL (one), and LDAP_SCOPE_BASE (base), respectively). So using ldap_read() instead of the others will allow one to get the rootDSE.

    解决 无用
    打赏 举报
  • 查看更多回答(1条)

相关推荐 更多相似问题