简体繁体 English

使用Kerberos进行PHP Active Directory身份验证

[英]PHP Active Directory authentication with Kerberos

原文 2009-09-07 14:53:11 9 3 php/ authentication/ active-directory/ kerberos

I'm currently integrating a CMS (developed in PHP) authentication with Active Directory. 我目前正在将CMS（用PHP开发）身份验证与Active Directory集成。 This specific Active Directory only allows authentication through Kerberos, or ldaps:// (but this last one is not the most wanted since I'll have to use absolute paths). 此特定Active Directory仅允许通过Kerberos或ldaps：//进行身份验证（但最后一个不是最需要的，因为我必须使用绝对路径）。

I've been searching the web for anything about PHP AD Kerberos Authentication, but found nothing. 我一直在网上搜索有关PHP AD Kerberos身份验证的任何信息，但一无所获。 Can anyone point me in the right direction? 谁能指出我正确的方向？

Thanks in advance. 提前致谢。

3 个解决方案

If you are using Active Directory, its possible your webserver is IIS, which has inbuilt kerberos*.. then just let the browser & webserver handle the authentication and use some PHP like: 如果您使用的是Active Directory，那么您的网络服务器可能是IIS，它有内置的kerberos * ..然后让浏览器和网络服务器处理身份验证并使用一些PHP，如：

$user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; 
if((false === $user) or ('' == $user)){
//Divert to incorrect password page.. 
//MSIE typically tries three times, Kerb/NTLM/Plain
//FF will only try NTLM/Plain if configured for NTLM
//Chrome.. won't work with this at all.. not that I have discovered.
//If testing locally using Apache, user will be 0
}

Now you can do SSO using Kerberos, works a charm. 现在你可以使用Kerberos进行SSO，实现魅力。

*: Called "Integrated Windows Authentication" http://support.microsoft.com/kb/324274 and must be enabled in browser by setting "Security Zone" to "Local Intranet".. which may happen if the IIS box is actually on the Local Intranet.. but it depends on the SPN and the domain the User's box and IIS box and any trust relationships.. if its on a single domain with the domain name/machine name the same it should work. *：称为“集成Windows身份验证” http://support.microsoft.com/kb/324274 ，必须通过将“安全区域”设置为“本地Intranet”来在浏览器中启用..如果IIS框实际打开，可能会发生这种情况本地Intranet ..但它取决于SPN和域用户的框和IIS框和任何信任关系..如果它在一个域名/机器名称相同的域应该工作。 If you are clustering or anything fun, expect a major headache, rather than just a normal headache. 如果你正在聚集或任何有趣的事情，期待一个主要的头痛，而不仅仅是一个正常的头痛。 You can script/GPO the IE settings if you feel the need.. 如果您觉得有需要，可以脚本/ GPO IE设置。

Hopefully you are asking about something else.. If I prayed it would be that you didn't implement this, it causes the whole authentication process for every single request.. which turns out slows down every page load.. no matter how many aggregations/hacks/workarounds you implement.. it was just a bad idea, but once you start or tell a manager about it, they really love it because it saves them having to login again.. oh, they will still complain about speed, but.. 希望你在问别的东西..如果我祈祷它会是你没有实现这个，它会导致每个请求的整个身份验证过程..结果会减慢每个页面的负载..无论有多少聚合/ hacks / workarounds你实现..这只是一个坏主意，但一旦你开始或告诉经理，他们真的很喜欢它，因为它节省了他们不得不再次登录..哦，他们仍然会抱怨速度，但..

不是免费软件解决方案 - 谷歌'Plexcel'关键字

There's a krb5 module for PHP. PHP有一个krb5模块。 It has a PECL entry although no packaging yet. 它有一个PECL条目，但还没有包装。 You can find out more about it here: 你可以在这里找到更多相关信息：

http://mbechler.eenterphace.org/blog/index.php?/archives/12-php_krb5-releases.html http://mbechler.eenterphace.org/blog/index.php?/archives/12-php_krb5-releases.html