dpcnm2132 2016-07-02 11:14
浏览 157
已采纳

带有TLS的PHP用于安全LDAP

I am trying to use remote LDAP server. For the purpose of security, I am trying to use only secure connection. I am able to get some code working but I am not sure, given the PHP documentation of start TLS itself, that if the following code works only on secure channel. Can anyone help with this please?

$is_valid_user = FALSE;

try {
    $ds = ldap_connect('ldap.foo.com', 389);
    if (! ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) {
        return "";
    }

    if (! ldap_start_tls($ds)) {
        return "";
    }
} catch(Exception $e) {
    return "";
}

if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    $error = "LDAP Server protocol error.";
    return "";
}

try {
    $bnd = @ldap_bind($ds, 'uid='.$user.', ou=people, dc=ldap, dc=foo, dc=com' , $passwd);

    if ($bnd) {
        $is_valid_user = TRUE;

        $srch=ldap_search($ds, 'dc=ldap, dc=foo, dc=com', "uid=$user");
        $info=ldap_get_entries($ds, $srch);
        $userdn=$info[0]["dn"];
        $usernm=$info[0]["cn"][0];

        return $usernm;
    } else {
        return "";
    }
} catch(Exception $e) {
    return "";
}
  • 写回答

1条回答

  • doulu6929 2016-07-02 20:31
    关注

    Just a few general improvements below. And yes, how that's written it will not continue unless the connection is encrypted via TLS. The LDAP module doesn't throw any exceptions at the moment, so the try/catch block is not really needed. Hard to tell without seeing the rest of your code, but is there a reason you want to return an empty string instead of false or null or some sort of error message?

    $is_valid_user = false;

$ds = ldap_connect('ldap.foo.com', 389);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

if (!@ldap_start_tls($ds)) {
    return "";
}

$bindUser = 'uid='.ldap_escape($user, null, LDAP_ESCAPE_DN).',ou=people,dc=ldap,dc=foo,dc=com';
if (@ldap_bind($ds, $bindUser , $passwd)) {
    $is_valid_user = true;

    $srch = ldap_search($ds, $bindUser, '(objectClass=*)', ['cn']);
    $info = ldap_get_entries($ds, $srch);
    $userdn = $info[0]["dn"];
    $usernm = $info[0]["cn"][0];

    return $usernm;
} else {
    return "";
}

    There are also several LDAP libraries available that make LDAP much easier with PHP. I would recommend LdapTools or adldap2.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?