dpcnm2132 2016-07-02 11:14
浏览 157
已采纳

带有TLS的PHP用于安全LDAP

I am trying to use remote LDAP server. For the purpose of security, I am trying to use only secure connection. I am able to get some code working but I am not sure, given the PHP documentation of start TLS itself, that if the following code works only on secure channel. Can anyone help with this please?

$is_valid_user = FALSE;

try {
    $ds = ldap_connect('ldap.foo.com', 389);
    if (! ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) {
        return "";
    }

    if (! ldap_start_tls($ds)) {
        return "";
    }
} catch(Exception $e) {
    return "";
}

if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    $error = "LDAP Server protocol error.";
    return "";
}

try {
    $bnd = @ldap_bind($ds, 'uid='.$user.', ou=people, dc=ldap, dc=foo, dc=com' , $passwd);

    if ($bnd) {
        $is_valid_user = TRUE;

        $srch=ldap_search($ds, 'dc=ldap, dc=foo, dc=com', "uid=$user");
        $info=ldap_get_entries($ds, $srch);
        $userdn=$info[0]["dn"];
        $usernm=$info[0]["cn"][0];

        return $usernm;
    } else {
        return "";
    }
} catch(Exception $e) {
    return "";
}
  • 写回答

1条回答 默认 最新

  • doulu6929 2016-07-02 20:31
    关注

    Just a few general improvements below. And yes, how that's written it will not continue unless the connection is encrypted via TLS. The LDAP module doesn't throw any exceptions at the moment, so the try/catch block is not really needed. Hard to tell without seeing the rest of your code, but is there a reason you want to return an empty string instead of false or null or some sort of error message?

    $is_valid_user = false;
    
    $ds = ldap_connect('ldap.foo.com', 389);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    
    if (!@ldap_start_tls($ds)) {
        return "";
    }
    
    $bindUser = 'uid='.ldap_escape($user, null, LDAP_ESCAPE_DN).',ou=people,dc=ldap,dc=foo,dc=com';
    if (@ldap_bind($ds, $bindUser , $passwd)) {
        $is_valid_user = true;
    
        $srch = ldap_search($ds, $bindUser, '(objectClass=*)', ['cn']);
        $info = ldap_get_entries($ds, $srch);
        $userdn = $info[0]["dn"];
        $usernm = $info[0]["cn"][0];
    
        return $usernm;
    } else {
        return "";
    }
    

    There are also several LDAP libraries available that make LDAP much easier with PHP. I would recommend LdapTools or adldap2.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥40 求一款能支持ios15以上的屏蔽越狱插件。比较好用的
  • ¥15 C++ QT对比内存字符(形式不定)
  • ¥30 C++第三方库libiconv 远程安装协助
  • ¥15 https://github.com/youlaitech/vue3-element-admin/blob/master/src/store/modules/user.ts 这2句代码如何理解
  • ¥15 duilib开发文本字串超过长度显示
  • ¥20 mysql的.ibd文件为啥那么多
  • ¥15 C++中采用栈和BFS算法求解迷宫问题
  • ¥15 关于#java#的问题:这是跳转失败出现的界面这是哪个出现问题的servlet(开发工具-ide)
  • ¥15 EBS R12费用采购跨月冲销
  • ¥15 python中用mplfinance如何做到多股同列?