问题
I have to write LDAP editor in PHP. LDAP is used for store network devices (switch,AP,..). So, it is not normal functionality and I found lot of problems. The biggest problem is:
Is possible to read all objectClasses from database and all attributes for given objectClass?
Thanks for all replies!! Ajax
回答1:
why not?
There will be a subschema entry per server which comprises all the objectclasses and attributetypes. (including AD)
But the subschema entry dn may be different in each implementation, this can be looked up from rootDSE attribute "subschemasubentry"
-AD example-
ldapsearch -s base -b "" -D cn=Administrator,cn=users,dc=domain,dc=com -w 'password' -x -h 192.168.3.10 objectClass=* subschemasubentry
**OUTPUT:**
dn:
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=com
-OpenLdap example-
ldapsearch -s base -b "" -D cn=Administrator,dc=capua,dc=com -w password -x -h 192.168.3.11 subschemaSubentry
**OUTPUT:**
#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
subschemaSubentry: cn=Subschema
Also, note the search scope. It should be BASE_LEVEL, otherwise it wont return any result.
After this search the subschema for objectclasses and attributetypes.
ldapsearch -s base -b "cn=subschema" -D cn=Administrator,dc=capua,dc=com -w password -x -h 192.168.3.11 objectclass=subschema objectclasses attributetypes
This will return all the objectclasses and attributetypes as string. You dont have an option of querying list of attribute of a given objectclass. You can ONLY get the ldif output of all stored objetclass and attribute. Probably you can write a parser or create some ldif object if that works. But if its AD you might have little flexibility by directly querying cn=Schema,cn=configuration.
Have a look at the php code. Assuming $ld is connected. Some directory server allows anonymous read on the subschema, in which case you dont need to bind.
//Get the subschema dn from rootDSE
$search = ldap_read($ld, "", "objectclass=*", array('*', 'subschemasubentry'));
$entries = ldap_get_entries($ld, $search);
$schemadn = $entries[0]["subschemasubentry"][0];
print "Searching ". $schemadn . "<br/>";
// Read all objectclass, attributetype from subschema
$schsearch = ldap_read($ld, $schemadn, "objectClass=subSchema", array('objectclasses', 'attributetypes'));
$schentries = ldap_get_entries($ld, $schsearch);
$count = $schentries[0]["attributetypes"]["count"];
print "Printing all attribute types <br/>";
for ($i=0; $i<$count; $i++)
print $schentries[0]["attributetypes"][$i] . "<br/>";
$count = $schentries[0]["objectclasses"]["count"];
print "Printing all objectclasses <br/>";
for ($i=0; $i<$count; $i++)
print $schentries[0]["objectclasses"][$i] . "<br/>";
回答2:
Perhaps you should have a look at Zend_Ldap, the LDAP component in the Zend Framework. It allows schema introspection for OpenLDAP servers and those compatible with OpenLDAP. The code may provide you with some hints on how to do this.
Please note that this procedure is not possible with an Active Directory server as they store the schema information in a form that cannot be retrieved by ext/php due to the lack of paging support.
来源:https://stackoverflow.com/questions/5026546/get-all-possible-attributes-and-all-objectclasses-from-openldap-in-php