堆栈内存溢出
  简体   繁体   English

单点登录(SSO)如何与PHP + Apache一起针对Active Directory进行透明身份验证?

[英]How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?

 原文  2010-11-23 19:05:43       php/ apache/ active-directory/ ldap/ single-sign-on

问题描述

I need to get more understanding about SSO on a web app against Active Directory. 我需要针对Active Directory在Web应用程序上获得更多有关SSO的知识。

For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap , adLdap and so on. 为了简单地要求用户登录以在AD上进行身份验证,我知道我可以使用某些库,例如Zend_LdapadLdap等。 But in this case, the user still need to type the login twice. 但是在这种情况下,用户仍然需要两次键入登录名。 For example: Authenticate against Active Directory/ISA from php 例如: 通过php对Active Directory / ISA进行身份验证

Afaik, to use SSO for transparent login , I need to implement an extra apache module. Afaik,要使用SSO进行transparent login ,我需要实现一个额外的apache模块。 For example: How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app? 例如: 如何为内部PHP应用程序使用Microsoft AD实施单点登录(SSO)?

Authenticate against ldap using PHP, active directory, while using IE/Firefox 在使用IE / Firefox的同时,使用PHP,活动目录针对ldap进行身份验证

First I need to know which apache module I need to use and why. 首先,我需要知道我需要使用哪个Apache模块以及原因。 In this article for example there are three: mod_ntlm , mod_auth_kerb and Apache2:AuthenNTLM . 例如,在本文中 ,有三个: mod_ntlmmod_auth_kerbApache2:AuthenNTLM And the thosed one was Apache2:AuthenNTLM 那是Apache2:AuthenNTLM

In the question described above the accepted answer was for mod_auth_sspi . 在上述问题中,可接受的答案是mod_auth_sspi

When talking about Active Directory I've got this answer , which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces". 在谈论Active Directory时, 我得到了这个答案 ,它将Active Directory描述为ldap + kerberos +“其他一些零碎的东西”的实现。

I'm very confused about all these names, since I've nerver worked with it. 对于所有这些名称,我感到非常困惑,因为我很努力地使用它。 Can someone clarify it to me? 有人可以向我澄清吗? ( ldap , kerberos , ntlm , sspi etc) ldapkerberosntlmsspi等)

Finally, can someone point me to how the app recognize the authenticated user (from AD). 最后,有人可以指出我该应用程序如何识别经过身份验证的用户(来自AD)。 Is it just by the username passed with somethink like $_SERVER['REMOTE_USER'] ? 仅仅是通过诸如$_SERVER['REMOTE_USER']类的东西传递的用户名吗? Any password is sent? 是否发送密码? How does the browser send this extra headers? 浏览器如何发送这些额外的标题? Is there any local configuration that need to be done in each workstation? 每个工作站中是否都需要进行本地配置?

2 个解决方案

解决方案1
 15 已采纳  2011-10-28 19:08:38

Authentication is a confusing mess. 身份验证是一团混乱。 Here is some background. 这是一些背景。

  • LDAP: LDAP is a protocol for communicating user directory information. LDAP:LDAP是用于传达用户目录信息的协议。 It can also handle authentication, but it is not seamless (SSO). 它还可以处理身份验证,但它不是无缝的(SSO)。

  • NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. NTLM:NTLM是内置于IE,ActiveDirectory和IIS中的Microsoft SSO。 The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. NTLM的原始版本非常不安全,因此已实施NTLMv2来修复NTLM中的安全问题。 The original NTLM is disabled by default in Windows Vista and later. Windows Vista和更高版本默认情况下禁用原始NTLM。

  • Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. Kerberos:Kerberos是一个非常安全的开放标准,旨在提供无缝(SSO)身份验证。 ActiveDirectory supports a version of Kerberos. ActiveDirectory支持Kerberos版本。

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them. 至于可用于实现这些协议的Apache模块,您包括了一个很好的清单。

  • mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2). mod_ntlm:这是一个在Linux上运行并支持原始NTLM(不是NTLMv2)的Apache模块。

  • mod_auth_kerb: This is an Apache module that implements Kerberos. mod_auth_kerb:这是一个实现Kerberos的Apache模块。

  • mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2). mod_auth_sspi:这是Windows的Apache模块,支持原始NTLM(不是NTLMv2)。

  • Apache2:AuthenNTLM: This is a Perl module that handles NTLM. Apache2:AuthenNTLM:这是处理NTLM的Perl模块。 I don't know if it supports NTLM and NTLMv2. 我不知道它是否支持NTLM和NTLMv2。

  • mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication. mod_auth_ntlm_winbind:这是一个与Samba身份验证连接的Apache模块。

解决方案2
 1  2010-11-23 20:08:46

Single-Sign-On and Shared-Authentication are related, but different, concepts . 单点登录和共享身份验证是相关的概念,但有所不同 I think you may be confusing them. 我认为您可能会混淆它们。 If you want true SSO, look in to CAS . 如果您想要真正的SSO,请查看CAS

LDAP and AD are protocols for storing users and organisation data. LDAP和AD是用于存储用户和组织数据的协议。 They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database". 它们对通过Web进行实际身份验证没有用,但是您可以在SSO(例如CAS)后面将它们用作“数据库”。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Web服务在ASP.NET和PHP中进行SSO(单点登录)? - SSO(Single Sign-on) in ASP.NET and Php using Webservices? 如何使用PHP表单在ASP.NET / C#中为单点登录(SSO)生成URL? - How to generate URL in ASP.NET / C# for a Single Sign-On (SSO) using PHP form? 如何使用 Microsoft AD 为内部 PHP 应用程序实施单点登录 (SSO)? - How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app? Apache2 PHP SSO与Active Directory - Apache2 PHP SSO with Active Directory PHP单一登录Active Directory - PHP Single Sign On Active Directory 通过 PHP 中的单点登录或登录 - Single Sign-on or login via in PHP 单一登录ASP.NET和PHP - Single Sign-On ASP.NET and PHP 针对Active Directory的无缝SSO身份验证 - Seamless SSO authenticating against Active Directory SSO身份验证-Apache / PHP / ActiveDirectory - SSO Authentication - Apache/PHP/ActiveDirectory LADP - Apache 上的 Kerberos 设置与 Wordpress 单点登录不起作用 - LADP - Kerberos Setup on Apache with Wordpress Single Sign-On not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM