問題描述
LDAP 在 PHP 中搜索多個 DN (LDAP search multiple DNs in PHP)
According to these posts in the php.net manual it should be possible to supply multiple DNs for ldap_search().
However, I can't get the below implementation to work:
$dn[] = 'ou=Red,ou=Teams,ou=Users,dc=example,dc=org';
$dn[] = 'ou=Green,ou=Teams,ou=Users,dc=example,dc=org';
$dn[] = 'ou=Blue,ou=Teams,ou=Users,dc=example,dc=org';
$query = ldap_search($conn, $dn, $filter, $attrs);
Everything is fine when passing through any of the individual DN strings, but supplying an array will error with message: 'No such object'.
An obvious work around for this is to loop over my DN array to fire off separate queries and push everything in to one array. I'd like to avoid having to do that, since I'm bringing back 8000+ objects in one DN (Paginated - Example 2) and ~300 in each of the other two.
Is it actually possible to search multiple DNs? Perhaps special syntax (symbol/character) within the single DN string?
參考解法
方法 1:
Search requests must contain a minimum the following parameters:
- the base object at which the search starts (no objects above the base objects are returned)
- the scope of the search:
baseis the base object itself,oneis the base object and one level below the base object,subis the base object and all entries below the base object. - a filter which limits the entries returned to those entries which match the assertion in the filter
A list of attributes can also be supplied, though many, but not all, LDAP APIs will request all user attributes if none are supplied in the search request.
In the case listed, set the base object to ou=users,dc=example,dc=com and use an appropriate filter. If the LDAP client must restrict the returned entries to entries that are subordinate to ou=red, ou=green, or ou=blue it may be possible to use a compound extensible match filter like (&(objectClass=inetOrgPerson)(|(ou:dn:=red)(ou:dn:=green)(ou:dn:=blue))) - use the correct object class if the data does not use inetOrgPerson. All LDAP-compliant servers support extensible match filters, but non-compliant servers may not support this standard filter.
It is not possible to use multiple base objects, the scope parameter defines how many subordinate levels, if any, are examined below the base object.
see also
- LDAP: Mastering Search Filters
- LDAP: Search best practices
- LDAP: Programming practices
方法 2:
Did you see this in the manual?
Those arrays must be of the same size as the link identifier array since the first entries of the arrays are used for one search, the second entries are used for another, and so on.
Basically, your $conn variable needs to be an array of connections equal to the size of your $dn array.
If you have 3 elements in your $dn array, you need 3 elements in your $conn array:
$ds = ldap_connect($ldapserver);
$dn[] = 'ou=Red,ou=Teams,ou=Users,dc=example,dc=org';
$dn[] = 'ou=Green,ou=Teams,ou=Users,dc=example,dc=org';
$dn[] = 'ou=Blue,ou=Teams,ou=Users,dc=example,dc=org';
// Match connection elements to count of dn elements
for($x=0, $x < count($dn), $x++)
{
$conn[] = $ds;
}
$query = ldap_search($conn, $dn, $filter, $attrs);
(by OmidTahouri、Terry Gardner、Jeremy Harris)