dpcnm2132
dpcnm2132
2016-07-02 11:14
浏览 114
已采纳

带有TLS的PHP用于安全LDAP

I am trying to use remote LDAP server. For the purpose of security, I am trying to use only secure connection. I am able to get some code working but I am not sure, given the PHP documentation of start TLS itself, that if the following code works only on secure channel. Can anyone help with this please?

$is_valid_user = FALSE;

try {
    $ds = ldap_connect('ldap.foo.com', 389);
    if (! ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) {
        return "";
    }

    if (! ldap_start_tls($ds)) {
        return "";
    }
} catch(Exception $e) {
    return "";
}

if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    $error = "LDAP Server protocol error.";
    return "";
}

try {
    $bnd = @ldap_bind($ds, 'uid='.$user.', ou=people, dc=ldap, dc=foo, dc=com' , $passwd);

    if ($bnd) {
        $is_valid_user = TRUE;

        $srch=ldap_search($ds, 'dc=ldap, dc=foo, dc=com', "uid=$user");
        $info=ldap_get_entries($ds, $srch);
        $userdn=$info[0]["dn"];
        $usernm=$info[0]["cn"][0];

        return $usernm;
    } else {
        return "";
    }
} catch(Exception $e) {
    return "";
}

图片转代码服务由CSDN问答提供 功能建议

我正在尝试使用远程LDAP服务器。 出于安全考虑,我试图仅使用安全连接。 我能够得到一些代码但我不确定,如果启动TLS本身的PHP文档,如果以下代码仅适用于安全通道。 任何人都可以帮忙吗?

  $ is_valid_user = FALSE; 
 
try {
 $ ds = ldap_connect('ldap.foo.com',389); \  n if(!ldap_set_option($ ds,LDAP_OPT_REFERRALS,0)){
 return“”; 
} 
 
 if(!ldap_start_tls($ ds)){
 return“”; 
} 
}  catch(异常$ e){
返回“”; 
} 
 
if(!ldap_set_option($ ds,LDAP_OPT_PROTOCOL_VERSION,3)){
 $ error =“LDAP服务器协议错误。”; 
返回“  “; 
} 
 
try {
 $ bnd = @ldap_bind($ ds,'uid ='。$ user。',ou = people,dc = ldap,dc = foo,dc = com',$ passwd  ); 
 
 if($ bnd){
 $ is_valid_user = TRUE; 
 
 $ srch = ldap_search($ ds,'dc = ldap,dc = foo,dc = com',“uid = $ user  “); 
 $ info = ldap_get_entries($ ds,$ srch); 
 $ userdn = $ info [0] [”dn“]; 
 $ usernm = $ info [0] [”cn“] [0  ]; 
 
返回$ usernm; 
} else {
 return“”; 
} 
} catch(Exception $ e){
 return“”; 
} 
  <  / pre> 
 
  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • doulu6929
    doulu6929 2016-07-02 20:31
    已采纳

    Just a few general improvements below. And yes, how that's written it will not continue unless the connection is encrypted via TLS. The LDAP module doesn't throw any exceptions at the moment, so the try/catch block is not really needed. Hard to tell without seeing the rest of your code, but is there a reason you want to return an empty string instead of false or null or some sort of error message?

    $is_valid_user = false;
    
    $ds = ldap_connect('ldap.foo.com', 389);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    
    if (!@ldap_start_tls($ds)) {
        return "";
    }
    
    $bindUser = 'uid='.ldap_escape($user, null, LDAP_ESCAPE_DN).',ou=people,dc=ldap,dc=foo,dc=com';
    if (@ldap_bind($ds, $bindUser , $passwd)) {
        $is_valid_user = true;
    
        $srch = ldap_search($ds, $bindUser, '(objectClass=*)', ['cn']);
        $info = ldap_get_entries($ds, $srch);
        $userdn = $info[0]["dn"];
        $usernm = $info[0]["cn"][0];
    
        return $usernm;
    } else {
        return "";
    }
    

    There are also several LDAP libraries available that make LDAP much easier with PHP. I would recommend LdapTools or adldap2.

    点赞 评论

相关推荐