PHP LDAP獲取用戶SID

Question

我不知道如何獲取AD中的用戶唯一標識符（SID）。代碼片段：

...  
$filter="(&(samaccountname=".$this->username.")(memberOf:1.2.840.113556.1.4.1941:=CN=GROUP_NAME,OU=Security,DC=something,DC=something))"; 
    $attribute = array("cn","objectsid","description", "group", "member", "samaccountname"); 
    $sr=ldap_search($this->conn_ldap, $this->ldap_dn, $filter, $attribute); 

    if ($sr) 
    { 

    $this->info = ldap_get_entries($this->conn_ldap, $sr); 
    if ($this->info["count"] == 1){ 

    ldap_close($this->conn_ldap); 
    return true; 
    } 
    ... 

我可以拉的信息：

echo $this->info[0]["cn"][0]; 

或

echo $this->info[0]["objectsid"][0]; 

在第一輸出，我可以在謝勝利，像0�@�d^�WL7�U 看到用戶的名字，我相信SID應像S-......？

Answer 1

我在另一個網站上找到了一個解決方案（見下文）。 基本上這功能是轉換器，使SID可見：

public static function SIDtoString($ADsid) 
{ 
    $sid = "S-"; 
    //$ADguid = $info[0]['objectguid'][0]; 
    $sidinhex = str_split(bin2hex($ADsid), 2); 
    // Byte 0 = Revision Level 
    $sid = $sid.hexdec($sidinhex[0])."-"; 
    // Byte 1-7 = 48 Bit Authority 
    $sid = $sid.hexdec($sidinhex[6].$sidinhex[5].$sidinhex[4].$sidinhex[3].$sidinhex[2].$sidinhex[1]); 
    // Byte 8 count of sub authorities - Get number of sub-authorities 
    $subauths = hexdec($sidinhex[7]); 
    //Loop through Sub Authorities 
    for($i = 0; $i < $subauths; $i++) { 
     $start = 8 + (4 * $i); 
     // X amount of 32Bit (4 Byte) Sub Authorities 
     $sid = $sid."-".hexdec($sidinhex[$start+3].$sidinhex[$start+2].$sidinhex[$start+1].$sidinhex[$start]); 
    } 
    return $sid; 
} 

https://www.null-byte.org/development/php-active-directory-ldap-authentication/

Answer 2

作爲替代示例中，這可以完全使用PHP的解壓縮功能來完成。所述的objectSID二進制結構上最好this MSDN doc記載：

修訂（1個字節）：一個8位的無符號整數，指定SID的 修訂級別。該值必須設置爲0x01。

SubAuthorityCount（1字節）：一個8位無符號整數，指定 SubAuthority數組中的元素數量。允許的元素的最大數量是 15.

IdentifierAuthority（6個字節）：甲SID_IDENTIFIER_AUTHORITY結構 ，其指示在其下SID被創建的權限。它 描述了創建SID的實體。標識符權限 值{0,0,0,0,0,5}表示由NT SID權限創建的SID。

SubAuthority（變量）：32位無符號整數 的可變長度數組，它唯一地標識一個主要相對於 IdentifierAuthority。它的長度由SubAuthorityCount決定。

/** 
* Decode the binary SID into its readable form. 
* 
* @param string $value 
* @return string 
*/ 
function decodeSID($value) 
{ 
    # revision - 8bit unsigned int (C1) 
    # count - 8bit unsigned int (C1) 
    # 2 null bytes 
    # ID - 32bit unsigned long, big-endian order 
    $sid = @unpack('C1rev/C1count/x2/N1id', $value); 
    $subAuthorities = []; 

    if (!isset($sid['id']) || !isset($sid['rev'])) { 
     throw new \UnexpectedValueException(
      'The revision level or identifier authority was not found when decoding the SID.' 
     ); 
    } 

    $revisionLevel = $sid['rev']; 
    $identifierAuthority = $sid['id']; 
    $subs = isset($sid['count']) ? $sid['count'] : 0; 

    // The sub-authorities depend on the count, so only get as many as the count, regardless of data beyond it 
    for ($i = 0; $i < $subs; $i++) { 
     # Each sub-auth is a 32bit unsigned long, little-endian order 
     $subAuthorities[] = unpack('V1sub', hex2bin(substr(bin2hex($value), 16 + ($i * 8), 8)))['sub']; 
    } 

    # Tack on the 'S-' and glue it all together... 
    return 'S-'.$revisionLevel.'-'.$identifierAuthority.implode(
     preg_filter('/^/', '-', $subAuthorities) 
    ); 
}