dpcnm2132 2016-07-02 11:14
浏览 157
已采纳

带有TLS的PHP用于安全LDAP

I am trying to use remote LDAP server. For the purpose of security, I am trying to use only secure connection. I am able to get some code working but I am not sure, given the PHP documentation of start TLS itself, that if the following code works only on secure channel. Can anyone help with this please?

$is_valid_user = FALSE;

try {
    $ds = ldap_connect('ldap.foo.com', 389);
    if (! ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) {
        return "";
    }

    if (! ldap_start_tls($ds)) {
        return "";
    }
} catch(Exception $e) {
    return "";
}

if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    $error = "LDAP Server protocol error.";
    return "";
}

try {
    $bnd = @ldap_bind($ds, 'uid='.$user.', ou=people, dc=ldap, dc=foo, dc=com' , $passwd);

    if ($bnd) {
        $is_valid_user = TRUE;

        $srch=ldap_search($ds, 'dc=ldap, dc=foo, dc=com', "uid=$user");
        $info=ldap_get_entries($ds, $srch);
        $userdn=$info[0]["dn"];
        $usernm=$info[0]["cn"][0];

        return $usernm;
    } else {
        return "";
    }
} catch(Exception $e) {
    return "";
}
  • 写回答

1条回答 默认 最新

  • doulu6929 2016-07-02 20:31
    关注

    Just a few general improvements below. And yes, how that's written it will not continue unless the connection is encrypted via TLS. The LDAP module doesn't throw any exceptions at the moment, so the try/catch block is not really needed. Hard to tell without seeing the rest of your code, but is there a reason you want to return an empty string instead of false or null or some sort of error message?

    $is_valid_user = false;
    
    $ds = ldap_connect('ldap.foo.com', 389);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    
    if (!@ldap_start_tls($ds)) {
        return "";
    }
    
    $bindUser = 'uid='.ldap_escape($user, null, LDAP_ESCAPE_DN).',ou=people,dc=ldap,dc=foo,dc=com';
    if (@ldap_bind($ds, $bindUser , $passwd)) {
        $is_valid_user = true;
    
        $srch = ldap_search($ds, $bindUser, '(objectClass=*)', ['cn']);
        $info = ldap_get_entries($ds, $srch);
        $userdn = $info[0]["dn"];
        $usernm = $info[0]["cn"][0];
    
        return $usernm;
    } else {
        return "";
    }
    

    There are also several LDAP libraries available that make LDAP much easier with PHP. I would recommend LdapTools or adldap2.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?