ldap 身份验证失败,php ldap_connect 错误 49 / 52f

【问题标题】:ldap authentification faild with php ldap_connect with error 49 / 52fldap 身份验证失败,php ldap_connect 错误 49 / 52f
【发布时间】:2019-08-11 01:25:26
【问题描述】:

首先,我的凭据经过了 100 次的良好测试。

我的 PHP 代码:

$ldapurl = "IP_ADDRESS";
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$ldapconn = ldap_connect($ldapurl) or die ("no con"); 
ldap_set_option($ldapconn,LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
$dn = "user@domain.local";
$ps = 'Password';
$ldapbind = @ldap_bind($ldapconn,$dn,$ps);

我可以匿名绑定成功,但是当我添加用户和密码时,绑定失败。

LDAP 调试:

ldap_init: trying c:\openldap\sysconf\ldap.conf
ldap_init: HOME env is NULL
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
ldap_create
ldap_url_parse_ext(ldap://192.168.17.2:389)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.17.2:389
ldap_new_socket: 500
ldap_prepare_socket: 500
ldap_connect_to_host: Trying 192.168.17.2:389
ldap_pvt_connect: fd: 500 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 14BADDF0 msgid 1
wait4msg ld 14BADDF0 msgid 1 (infinite timeout)
wait4msg continue ld 14BADDF0 msgid 1 all 1
** ld 14BADDF0 Connections:
* host: 192.168.17.2  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Mar 20 12:55:22 2019


** ld 14BADDF0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 14BADDF0 request count 1 (abandoned 0)
** ld 14BADDF0 Response Queue:
   Empty
  ld 14BADDF0 response count 0
ldap_chkResponseList ld 14BADDF0 msgid 1 all 1
ldap_chkResponseList returns ld 14BADDF0 NULL
ldap_int_select
read1msg: ld 14BADDF0 msgid 1 all 1
read1msg: ld 14BADDF0 msgid 1 message type bind
read1msg: ld 14BADDF0 0 new referrals
read1msg:  mark request completed, ld 14BADDF0 msgid 1
request done: ld 14BADDF0 msgid 1
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903D3, comment: AcceptSecurityContext error, data 52f, v3839>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_err2string
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed

错误代码是 49 / 52F 

Account Restrictions are preventing this user from signing in.

但是我对这个用户没有任何限制。我已经从控制台成功地将自己连接到 AD。

我已经尝试使用$dn = "cn=user,dc=domain,dc=local" 或其他组合但没有成功

【问题讨论】:

  • 您实际上是通过不安全的连接连接到 AD 的?不需要 ldaps 或 start_tls 吗? AD实际上允许匿名绑定?您是否与您的 AD 管理员验证了这一点?因为默认的 AFAIK 是 not 允许匿名登录...

标签: php ldap


【解决方案1】:

请试试这个代码,我刚用过。它对我有用:

$ldap_password = 'password';
$ldap_username = 'email_address';
$ldap_connection = @ldap_connect(IP address);
if (FALSE === $ldap_connection){
    echo 'Uh-oh, something is wrong...';
}

// We have to set this option for the version of Active Directory we are using.
@ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
@ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.
$ad_users = [];
if (@ldap_bind($ldap_connection, $ldap_username, $ldap_password)){ 
    $ldap_base_dn = 'DC=domain,DC=com';
    $search_filter = '(&(objectCategory=person)(samaccountname=*))';
    $attributes = array();
    $attributes[] = 'givenname';
    $attributes[] = 'mail';
    $attributes[] = 'samaccountname';
    $attributes[] = 'sn';
    $result = @ldap_search($ldap_connection, $ldap_base_dn, $search_filter, $attributes);   

    if ($result){
        $entries = @ldap_get_entries($ldap_connection, $result);

        for ($x=0; $x<$entries['count']; $x++){
            if (!empty($entries[$x]['givenname'][0]) &&
                 !empty($entries[$x]['mail'][0]) &&
                 !empty($entries[$x]['samaccountname'][0]) &&
                 !empty($entries[$x]['sn'][0]) &&
                 'Shop' !== $entries[$x]['sn'][0] &&
                 'Account' !== $entries[$x]['sn'][0]){
                $ad_users[strtoupper(trim($entries[$x]['samaccountname'][0]))] = array('email' => strtolower(trim($entries[$x]['mail'][0])),'first_name' => trim($entries[$x]['givenname'][0]),'last_name' => trim($entries[$x]['sn'][0]));
            }
        }
    }
    ldap_unbind($ldap_connection); // Clean up after ourselves.
}

echo "Retrieved ". count($ad_users) ." Active Directory users\n";
echo '<pre>';print_r($ad_users);echo '</pre>';

【讨论】:

猜你喜欢
  • 2018-02-22
  • 1970-01-01
  • 1970-01-01
  • 2011-05-25
  • 2016-08-20
  • 2020-04-14
  • 2015-04-19
  • 2016-02-05
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode