堆栈内存溢出
  简体   繁体   English

如何在 Windows 中使用 PHP 中的 GSS-API 机制执行 LDAP SASL 绑定到 Active Directory?

[英]How to perform a LDAP SASL bind to Active Directory using GSS-API mech in PHP from Windows?

 原文  2013-05-29 15:21:28       php/ active-directory/ ldap/ wamp/ kerberos

问题描述

I have an Active Directory server and a Windows WAMP server hosting PHP web applications that need to be able to authenticate to Active Directory using Kerberos.我有一个 Active Directory 服务器和一个托管 PHP Web 应用程序的 Windows WAMP 服务器,这些应用程序需要能够使用 Kerberos 对 Active Directory 进行身份验证。

I was able to easily connect and bind to the Active Directory host using some sample PHP code, but I'm not sure how to do so with Kerberos.我能够使用一些示例 PHP 代码轻松地连接和绑定到 Active Directory 主机,但我不确定如何使用 Kerberos 来做到这一点。 I have see many forums and blogs detailing how to do this on *NIX machines, but that doesn't help me with my situation.我已经看到许多论坛和博客详细介绍了如何在 *NIX 机器上执行此操作,但这对我的情况没有帮助。

I did use Wireshark and Fiddler to confirm that there is no Kerberos or NTLM negotiating happening.我确实使用 Wireshark 和Fiddler来确认没有 Kerberos 或 NTLM 协商发生。

Sample code I used to connect and bind to LDAP:我用来连接和绑定到 LDAP 的示例代码:

<?php   
   $ldaphost = "example.domain.com";
   $ldapport = 389;
   $ldapuser = "user";
   $ldappass = "password";

    $ldapconn = ldap_connect( $ldaphost, $ldapport )
    or die( "Unable to connect to the LDAP server {$ldaphost}" );

    if ($ldapconn)
    {
        $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);

        if ($ldapbind)
        {
            echo "LDAP connection successful";
        }
        else
        {
            echo "LDAP connction failed";
        }
    }
?>

Any help will be greatly appreciated, thanks!任何帮助将不胜感激,谢谢!

Update: I've been wrestling with this all day and I think I need to use ldap_sasl_bind(), possibly using GSSAPI as the mechanism... No matter what parameters I put in to ldap_sasl_bind(), I get the following error: 'Unable to bind to server: Unknown authentication method'更新:我一整天都在纠结这个,我想我需要使用 ldap_sasl_bind(),可能使用 GSSAPI 作为机制......无论我给 ldap_sasl_bind() 输入什么参数,我都会收到以下错误:'无法绑定到服务器:未知的身份验证方法'

I'm not sure how to implement GSSAPI, but some examples I've seen show using ldap_start_tls(), but I keep getting a 'Unable to start TLS: Server is unavailable' error.我不确定如何实现 GSSAPI,但我看到的一些示例显示使用 ldap_start_tls(),但我不断收到“无法启动 TLS:服务器不可用”错误。

I don't know if anyone knows anything about ldap_sasl_bind() (which is undocumented by PHP) or ldap_start_tls, but if this is the way I should be going, please point me in the right direction.我不知道是否有人对 ldap_sasl_bind()(PHP 未记录)或 ldap_start_tls 有所了解,但如果这是我应该走的路,请指出正确的方向。

3 个解决方案

解决方案1
 1  2013-06-06 17:32:46

I cannot help with the Kerberos issue yet, as I am still struggling with it myself.我无法帮助解决 Kerberos 问题,因为我自己仍在努力解决这个问题。 However, I can point you in the right direction for TLS.但是,我可以为您指明 TLS 的正确方向。 TLS will at least prevent your credentials from being transmitted over the network in clear text. TLS 至少会阻止您的凭据以明文形式通过网络传输。 TLS requires proper configuration of OpenLDAP. TLS 需要正确配置 OpenLDAP。 At the very least, you can configure your client to not request or check any server certificates.至少,您可以将客户端配置为不请求或检查任何服务器证书。 You do this by adding the following line to the top of your ldap.conf configuration file.为此,您可以将以下行添加到 ldap.conf 配置文件的顶部。

TLS_REQCERT never

Your ldap.conf file should be located in C:\\ or C:\\openldap\\sysconf , depending on your version of PHP and OpenLDAP.您的 ldap.conf 文件应位于C:\\C:\\openldap\\sysconf 中,具体取决于您的 PHP 和 OpenLDAP 版本。 The file most likely does not yet exist in your setup.该文件很可能在您的设置中尚不存在。 You may also be able to set the configuration via an environment variable as well putenv(TLS_REQCERT=never);您也可以通过环境变量以及putenv(TLS_REQCERT=never);设置配置putenv(TLS_REQCERT=never); , but I have not tried that myself, and there appear to be mixed results reported by others. ,但我自己没有尝试过,其他人报告的结果似乎好坏参半。

解决方案2
 0 已采纳  2013-06-02 11:49:14

What you need to do: Make sure that the LDAP interface in PHP is compiled against SASL, supports GSS-API mech and either uses keytabs or the Windows-own SSPI interface.您需要做什么:确保 PHP 中的 LDAP 接口是针对 SASL 编译的,支持 GSS-API 机制,并且使用密钥表或 Windows 自己的 SSPI 接口。 Good luck.祝你好运。

解决方案3
 0  2020-07-06 17:03:56

I solved this problem on windows by creating executable based on c++ ldap_bind_s.我通过创建基于 c++ ldap_bind_s 的可执行文件在 Windows 上解决了这个问题。 I use this executable as a command line with the parameters: host, username,password.我将此可执行文件用作带有参数的命令行:主机、用户名、密码。 This is the only way I got it work for GSSAPI.这是我让它为 GSSAPI 工作的唯一方法。

WINLDAPAPI ULONG LDAPAPI ldap_bind_s(
  LDAP        *ld,
  const PSTR  dn,
  const PCHAR cred,
  ULONG       method
);

I used LDAP_AUTH_NEGOTIATE.我使用了 LDAP_AUTH_NEGOTIATE。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP将ldap绑定到活动目录 - php bind ldap to active directory 如何在PHP中使用ldap_sasl_bind连接到ldap - how connect to ldap with ldap_sasl_bind in php 不使用dn字符串而在Symfony 3中使用LDAP连接/绑定到Active Directory(Windows) - Connect/Bind to Active Directory (Windows) using LDAP in Symfony 3 without using a dn string 如何使用 PHP ldap_modify 更新 Active Directory 中的照片 - How to update photo in Active Directory using PHP ldap_modify 如何在php中使用LDAP从Active Directory搜索和更新用户数据? - How search and update user data from Active Directory using LDAP in php? 使用LDAP和PHP查询Active Directory信息 - Query Active Directory Info using LDAP and PHP 通过 Active Directory 使用 LDAP 在 PHP 中进行身份验证 - Authenticating in PHP using LDAP through Active Directory 无法通过 SSL 在 php 中针对 Active Directory LDAP 进行绑定? - Can't bind in php against Active Directory LDAP over SSL? 如何在PHP中通过ldap获取活动目录的密码? - How to get password of active directory by ldap in php? 如何使用 LDAP 绑定多个 Active Directory OU - How do I bind with multiple Active Directory OU with LDAP
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM