如何使用授权帐户重新绑定到LDAP?

I am working on a project for a university. The University requires that all use login/information be stored in LDAP and retrieved via PHP. Normally I would just bind the LDAP connection with the credentials the user entered (so the individual user's username and password), however now I am required to authenticate their usernmae/password with LDAP, and then re-bind the connection with an "authorized account" username and password supplied by the department, and then perform the LDAP search from the authenticated account.

Basically I need to use the user's login/password just to ensure they exist in LDAP. If they are, then we must switch to a different account username/password to perform the LDAP search fro the user's information.

How would I do this? I have no idea how to re-bind in this manner but still perform the proper search on the user.

EDIT: is rebinding an LDAP account as simple as including a 2nd bind statement after the first? ex;

if (!($bind=@ldap_bind($connect, "uid=".$username.",ou=*****,dc=***,dc=edu", "$password")))
{
    ldap_close($connect);
    echo "there was an error binding your LDAP account.";
}
else // else we have binded to the ldap connection as the user, we must re-bind as the authorized account
{
    if (!($bind=@ldap_bind($connect, "uid=".$authUN.",ou=******,dc=***,dc=edu", "$authPW")))
    {
            ldap_close($connect);
            echo "There was a problem binding to the authorized account.";
    }
    else // now we have binded with the authenticated account
    {
        echo "success!";
    }
}

..and then I would just perform the search normally via ldap_search()?

  • There is no such thing as 're-bind'. There is only BIND
  • A connection begins with an anonymous authentication state
  • Each BIND request resets the connection state to an anonymous state
  • Each successful BIND sets the connection state to the authorization state associated with the authentication ID
  • A failed BIND request results in the connection retaining an anonymous state

The semantics of BIND are described fully in RFC4513.

Why don't you just search for the user information with the authorized account and if it exists return it and if not just ignore it?

I'm not satisfied with any of these answers. It is possible to rebind on the same connection however it is still a BIND. The python-ldap3 module has a method specifically for this called "rebind". Furthermore in a campus or corporate environment it is often required (as in my case) to first bind via the admin credentials, and then rebind or bind again to authenticate the user using the supplied user credentials.