将Windows Server中的Active Directory与Laravel 5集成为多个用户角色
[英]Integrating Active Directory in Windows Server with Laravel 5 for multiple user roles
问题描述
I am working in a laravel application with multiple type of users. 
我正在使用具有多种类型用户的laravel应用程序。
Users 用户数
-
Admin -
User-I -
User-II -
User-III
I have already made CRUD feature for user in my App and roles are assigned during user creation. 我已经在我的应用程序中为用户创建了CRUD功能,并且在创建用户时分配了角色。 I have following structure of User and Role table. 我具有User和Role表的以下结构。
Role Table 角色表
Schema::create('roles', function (Blueprint $table) {
$table->increments('id');
$table->string('role');
$table->string('description');
$table->timestamps();
});
And, 和,
User Table 用户表
Schema::create('users', function (Blueprint $table) {
$table->increments('id');
$table->integer('role_id');
$table->string('name');
$table->string('email')->unique();
$table->string('password');
$table->rememberToken();
$table->timestamps();
});
Admin user is created using Seeder and other users are created from application. 使用Seeder创建Admin用户,并从应用程序创建其他users 。
I have nearly completed my application and at the end I've got problem with user authentication . 我的申请已经接近完成,最后我遇到了用户身份验证的问题。
For my application, I need to sync User-I type from Active Directory . 对于我的应用程序,我需要从Active Directory同步User-I类型。 So, I have limited CRUD facility to User-II and User-III . 因此,我将CRUD功能限制为User-II和User-III 。 I don't want to create new User-I type user and want to import such user details from active directory. 我不想创建新的User-I类型的用户,并且想要从活动目录中导入此类用户详细信息。 Any changes made to User-I should be reflected in my app. 对User-I所做的任何更改都应反映在我的应用中。
This feature is required in my app lately. 我的应用最近需要此功能。
I've already visited Adldap2 - Laravel and I haven't understand how to use this in my case. 我已经访问过Adldap2-Laravel ,但我不了解如何在我的情况下使用它。
Is there any way to import such user details to my application ? 有什么方法可以将此类用户详细信息导入我的应用程序?
And another problem is, 另一个问题是
After importing such user details, I need to authenticate User-I from Active Directory and other users from my application users table. 导入此类用户详细信息后,我需要对Active Directory中的User-I和应用程序users表中的其他用户进行身份验证。 Is it possible in Laravel ? Laravel有可能吗?
I'm new to Windows Server and use of Active directory . 我是Windows Server的新手,并且使用Active Directory 。 Any Kind of suggestion is appreciated. 任何形式的建议表示赞赏。
1 个解决方案
解决方案1
0 已采纳 2017-06-30 23:47:31
Yes, this is possible, but it's a little messy. 是的,这是可能的,但是有点混乱。
I would suggest you set up all users accounts within Laravel. 我建议您在Laravel中设置所有用户帐户。 You can add a flag to the Laravel user if it is an AD user (in which case authentication would be based on LDAP) or a CRUD user (in which case you would need to touch the Laravel database to check if the stored password works). 如果是AD用户(在这种情况下身份验证将基于LDAP)或CRUD用户(在这种情况下,您需要触摸Laravel数据库以检查存储的密码是否有效),则可以向Laravel用户添加标志。 。 You'll need to write an extra step in the login process to either AJAX the username immediately or a two step screen where the user only enters his username and clicks enter. 您需要在登录过程中写一个额外的步骤来立即将用户名AJAX或两步式屏幕(用户仅输入其用户名并单击Enter)。 This way you can know which way to authenticate based on the user's flag. 这样,您可以基于用户的标志知道哪种身份验证方法。
If all you need to do is authenticate against AD based on a set of users KNOWN as user-I type, this is easy with straight php - just check to see if you can bind with username & password. 如果您需要做的只是基于一组用户身份为I的用户对AD进行身份验证,那么直接使用php即可轻松实现-仅检查您是否可以使用用户名和密码进行绑定。 If it binds, they are authenticated and can be let into your app. 如果绑定,则它们将通过身份验证,并可以进入您的应用程序。
However, if you are looking to sync with AD on some timeline where you would actually pull data on some subset of the AD userbase, in order to make a decision on who will be a user, you have to get more involved. 但是,如果您希望在某个时间轴上与AD同步,而您实际上会在AD用户群的某个子集上提取数据,则要决定谁将是用户,就必须更多地参与其中。 It is also a separate process from the login/authentication. 这也是与登录/身份验证不同的过程。
If this is the case, you will need a Windows service account within AD. 在这种情况下,您将需要在AD中使用Windows服务帐户。 Using those credentials, log in to AD from Larvel and do your ldap_searches to pull a set of entries from AD. 使用这些凭据,从Larvel登录到AD,然后执行ldap_searches从AD中提取一组条目。 Pseudo code to illustrate direction for PHP search/filter: 伪代码说明PHP搜索/过滤器的方向:
$filter = "(&($extLocField=$extLocName)(|(objectCategory=person)(mail=*)))";
$result = ldap_search($ldap_con,"dc=mycompany,dc=local",$filter) or exit("Unable to search");
Once you have the entries (ldap_get_entries from your search result) you can then pick your new users based on the filtering criteria 获得条目(搜索结果中的ldap_get_entries)后,即可根据过滤条件选择新用户
$entries = ldap_get_entries($ldap_con, $result);
Once you have a new group of users, your code will need to batch create new users and add the AD flag to the user. 有了新的用户组后,您的代码将需要批量创建新用户并将AD标志添加到该用户。
Trying to sync with AD using a service account is not bad with straight PHP. 尝试使用服务帐户与AD同步对于直接的PHP来说还不错。 You don't really need another package ( Adldap2 - Laravel ). 您实际上并不需要其他软件包(Adldap2-Laravel)。 However, trying to sync, and have two different login methods AND trying to create new users from AD based on some timeline scenario seems like it's trying to do a lot. 但是,尝试进行同步并使用两种不同的登录方法,并尝试根据某个时间轴方案从AD创建新用户似乎在做很多事情。 The above is one answer as to how. 上面是关于如何的一个答案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.