2013-12-03 14:26

PHP ldap_ * API:限制基本范围?

  • openldap
  • ldap
  • php

So The Direct Project strikes again. I'm no expert in LDAP, but I'm trying to set up a test environment since the standard requires any package to support getting certificates from LDAP as well as DNS CERT, regardless of which method is implemented by the package.

According to the documentation, the prescribed sequence of events (trimmed for relevance) from section "3.3.3 LDAP query":

* Discover the Base DNs
     Branches in LDAP must be defined by a “Base DN”. The list of Base DNs that are
     provided by a LDAP directory are found by doing a LDAP Query with a NULL (i.e.
     “”) Base DN, and ObjectClass=”DN”.
* Query across the Base DN for entries where "Mail" contains the endpoint address

I'm trying to implement this process in php, using the ldap_* functions, but their way doesn't seem to work. Obviously, NULL is not the same as an empty string (the latter makes any call to ldap_search return a "No such object" error), and "DN" isn't a valid value for an ObjectClass attribute.

So, TL;DR, is there another way an anonymous remote user retrieve the (list of?) base DNs that I'm missing?

UPDATE: Reworded the title to reflect the root cause of my problem: Reading the rootDSE from PHP when the ldap_* api doesn't allow you to specify 'base' scope.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • dongliuliu0385 dongliuliu0385 8年前

    So another read through the docs answered my question for me.

    Apparently, the only difference between ldap_search(), ldap_list(), and ldap_read() are the scopes (LDAP_SCOPE_SUBTREE (sub), LDAP_SCOPE_ONELEVEL (one), and LDAP_SCOPE_BASE (base), respectively). So using ldap_read() instead of the others will allow one to get the rootDSE.

    点赞 8 评论 复制链接分享
  • drbvm26000 drbvm26000 8年前

    In the root dse. See "namingContexts".


    In java:

    LDAPConnection conn = new LDAPConnection(hostname,port);
    SearchRequest req = new SearchRequest("",SearchScope.BASE,"(&)","+");
    SearchResult result =;
    // If the search succeeds, the result will comprise one entry,
    // and that entry is the Root DSE:
    subschemaSubentry: cn=schema
    namingContexts: C=us
    vendorName: UnboundID Corp.
    vendorVersion: UnboundID Directory Server
    点赞 5 评论 复制链接分享