在使用IE / Firefox时使用PHP,活动目录对ldap进行身份验证
[英]Authenticate against ldap using PHP, active directory, while using IE/Firefox
问题描述
This code below checks for the user's credentials against ldap 
下面的代码检查用户对ldap的凭据
<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ds)
{
$username = "johndoe@domain.com";
$upasswd = "pass";
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{print "Congratulations! $username is authenticated.";}
else
{print "Access Denied!";}
}
?>
My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly. 我的用户使用Firefox和IE,我知道可以无缝传递他们的ActiveDirectory证书。
I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials. 我只想检查AD组以查看是否在那里找到该用户名,如果是,则显示该页面,否则提示输入凭据。
Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. 由于我们的用户已经登录到域控制器,我想获取他们的用户名,检查是否在特定组中找到它,然后让他们进入,否则提示用户输入凭据。 How is this possible? 这怎么可能?
2 个解决方案
解决方案1
8 已采纳 2009-10-07 09:22:29
You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server. 实际上,您不需要使用PP代码与Active Directory服务器通信,以实现您希望使用IIS作为Web服务器的事实。
The key word here is Integrated Windows Authentication - that's the wording djn looked for . 这里的关键词是集成Windows身份验证 - 这是djn 寻找的措辞。 If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. 如果启用此选项(并拒绝匿名访问),IIS将根据Active Directory检查提供的凭据以及所请求资源的NTFS文件系统特权。 You can therefore control access to your files using simple NTFS access control mechanisms. 因此,您可以使用简单的NTFS访问控制机制来控制对文件的访问。
If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberos or NTLMSSP depending on what your client and server is capable of processing. 如果您的用户使用IE,他们甚至不必输入他们的凭据,因为这是通过所谓的SPNEGO (简单和受保护的GSSAPI协商机制)及其底层机制Kerberos或NTLMSSP自动完成的,具体取决于您的客户端和服务器的能力处理。
As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. 据我所知,Firefox也能够自动将Windows登录凭据交给您的服务器。 You ony have to adjust a configuration option to turn on that feature - don't know if this information is still valid with Firefox 3.5.x. 您必须调整配置选项才能启用该功能 - 不知道此信息在Firefox 3.5.x中是否仍然有效。
If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication -like system. 如果您在* nix系统上运行Apache,则必须使用某些服务器端模块来处理类似于集成Windows身份验证的系统。 Possible options are (don't know whether they are actually still maintained or stable): 可能的选项是(不知道它们实际上是否仍然保持或稳定):
For Apache on Windows there are: 对于Windows上的Apache,有:
-
mod_ntlm(outdated; not the same asmod_ntlmabove)mod_ntlm(过时;与上面的mod_ntlm) -
mod_auth_sspi(successor ofmod_ntlm)mod_auth_sspi(mod_ntlm后继者)
Please be aware that most of these modules seem to be very old. 请注意,大多数这些模块似乎都很老。
解决方案2
1 2009-10-06 22:27:24
Working just now on a similar setup: I skipped all of that LDAP stuff having the web server authenticating the client with AD before letting him in (sorry, I can't remember what's this called in the M$ alternate universe). 刚刚在类似的设置上工作:我跳过所有那些让Web服务器用AD验证客户端的LDAP内容,然后让他进去(对不起,我不记得在M $备用宇宙中这叫做什么)。
If the client reaches the PHP script he's in AD and I have his username both in $_SERVER["AUTH_USER"] and in $_SERVER["LOGON_USER"] , otherwise he never gets to the script. 如果客户端到达PHP脚本,他在AD中,我的用户名都在$_SERVER["AUTH_USER"]和$_SERVER["LOGON_USER"] ,否则他永远不会访问脚本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.