ldap_compare

(PHP 4 >= 4.0.2, PHP 5, PHP 7, PHP 8)

ldap_compare — Compare value of attribute found in entry specified with DN

说明

ldap_compare(
    LDAP\Connection $ldap,
    string $dn,
    string $attribute,
    string $value,
    ?array $controls = null
): bool|int

Compare value of attribute with value of same attribute in an LDAP directory entry.

参数

ldap: 通过 ldap_connect() 返回的 LDAP\Connection 实例。
dn: The distinguished name of an LDAP entity.
attribute: The attribute name.
value: The compared value.
controls: Array of LDAP Controls to send with the request.

返回值

Returns true if value matches otherwise returns false. Returns -1 on error.

更新日志

版本	说明
8.1.0	现在 `ldap` 参数接受 LDAP\Connection 实例，之前接受有效的 `ldap link` resource。
8.0.0	`controls` is nullable now; previously, it defaulted to `[]`.
7.3.0	Support for `controls` added

示例

The following example demonstrates how to check whether or not given password matches the one defined in DN specified entry.

示例 #1 Complete example of password check

<?php

$ds=ldap_connect("localhost");  // assuming the LDAP server is on this host

if ($ds) {

    // bind
    if (ldap_bind($ds)) {

        // prepare data
        $dn = "cn=Matti Meikku, ou=My Unit, o=My Company, c=FI";
        $value = "secretpassword";
        $attr = "password";

        // compare value
        $r=ldap_compare($ds, $dn, $attr, $value);

        if ($r === -1) {
            echo "Error: " . ldap_error($ds);
        } elseif ($r === true) {
            echo "Password correct.";
        } elseif ($r === false) {
            echo "Wrong guess! Password incorrect.";
        }

    } else {
        echo "Unable to bind to LDAP server.";
    }

    ldap_close($ds);

} else {
    echo "Unable to connect to LDAP server.";
}
?>

注释

警告

ldap_compare() can NOT be used to compare BINARY values!

改进此页面

了解如何改进此页面 • 提交拉取请求 • 报告一个错误

＋添加备注

用户贡献的备注 4 notes

down

chuck+ldap at 2006 dot snew dot com ¶

20 years ago

Just a side note that this is not how you'd ever AUTHENTICATE someone, just an example code.

The common way to authenticate is to get the users name, use search and perhaps selection to the user to get her DN (single value) then attempt to BIND to the ldapserver using that dn and the offered password.  If it works, then it's the right password.

Note that the password offered MUST NOT BE EMPTY or many LDAPs will presume you meant to authenticate anonymously and it will succeed, leaving you thinking it's the right password.

down

oudejans at zeelandnet dot nl ¶

19 years ago

With PHP 4.3.* is Password no longer a valid attribute.. try to use userPassword

down

Brian Kerhin <kerhin at bigfoot dot com> ¶

23 years ago

Not probably, will.  With PHP 4.0.4 and openldap 1.2.9 this little script, even with the correct attributes for the password does not do the job.  Would superb if it did!

down

-1

334647 at swin dot edu dot au ¶

24 years ago

Interesting example. Apart from the fact that very few people would allow comaprisions of the password attribute for security reasons. The attribute name of "password" does not match the usual schemas.



The usual method of user id + password verification is to attempt to bind using the supplied credentials.



Ldap compare on password values will probably fail with ns directroy server and openldap v2+ becuase of server support for password hashing.