简体繁体 English

针对Active Directory的无缝SSO身份验证

[英]Seamless SSO authenticating against Active Directory

原文 2009-09-28 17:22:44 8 2 php/ apache/ ldap/ single-sign-on/ kerberos

I have a webpage that I only want a specific group to log into. 我有一个网页，我只希望特定的人群登录。

I work at a college and we use Active Directory accounts and only a certain group can access this php page (on apache server). 我在一所大学工作，我们使用Active Directory帐户，只有特定的组可以访问此php页面（在apache服务器上）。

I know I can restrict access with some PHP code, but I want to accomplish seamless login. 我知道我可以使用一些PHP代码来限制访问，但是我想完成无缝登录。

Everyone uses IE7 at work (which are configured to pass the proper credentials), and are required to log into the computer (which logs them into the domain controller). 每个人都在工作中使用IE7（配置为通过适当的凭据），并且需要登录到计算机（登录到域控制器）。

When the user goes to http://intranet , they will automatically be logged in, since they logged into their computer earlier. 用户访问http：// intranet时，由于他们较早登录到计算机，因此他们将自动登录。

If a user goes to http://intranet.domain.com , it will prompt them for their credentials. 如果用户访问http://intranet.domain.com ，则会提示他们输入凭据。

I know I need to use kerberos for authentication and LDAP for authorization. 我知道我需要使用kerberos进行身份验证，并使用LDAP进行授权。

Has anyone had success at seamless authentication? 有没有人在无缝身份验证方面取得成功？

2 个解决方案

There are commercial products that offer this as Apache modules, see the links at the end of the Wikipedia article on SPNEGO (eg. Guide to SPNEGO with Apache ). 有一些商业产品可以将其作为Apache模块提供，请参见SPNEGO上Wikipedia文章结尾的链接（例如，带有Apache的SPNEGO指南）。 I know also of some php modules like php_krb5: php_krb5 beta / Negotiate auth with GSSAPI for PHP , or Apache modules like mod_auth_kerb . 我也知道一些php模块，例如php_krb5： php_krb5 beta /使用GSSAPI for PHP协商auth或Apache模块，例如mod_auth_kerb 。 I never used them myself though. 我自己从来没有用过它们。

As for going the whole 9 yards and implementing Negotiate auth in PHP, I did implement in my life RFC 2617 in PHP for Digest HTTP auth and I did implement Windows SSPI authentication modules, but I never tried to implement RFC 4559 in PHP. 至于整个9码并在PHP中实现Negotiate auth，我在一生中确实在PHP中实现了Digest HTTP Auth的RFC 2617 ，并且确实实现了Windows SSPI身份验证模块，但是我从未尝试过在PHP中实现RFC 4559 。 While the HTTP auth part is fairly trivial, the opaque GSS-API part is daunting, even provided you have a good GSS-API library at your disposal for RFC 2743 . 尽管HTTP auth部分相当琐碎，但不透明的GSS-API部分却令人生畏，即使您拥有可用于RFC 2743的良好GSS-API库。

This is because you need to add intranet.domain.local to the Local Intranet zone in IE. 这是因为您需要将intranet.domain.local添加到IE中的“本地Intranet”区域。 Check this article for details: http://www.sysadminlab.net/other/local-intranet-zone-in-ie8-exaplained-for-sysadmins 检查本文以了解详细信息： http : //www.sysadminlab.net/other/local-intranet-zone-in-ie8-exaplained-for-sysadmins