[英]Authenticating in PHP using LDAP through Active Directory
I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider).我正在寻找一种通过 LDAP 和 PHP 对用户进行身份验证的方法(Active Directory 是提供者)。 Ideally, it should be able to run on IIS 7 ( adLDAP does it on Apache).
理想情况下,它应该能够在 IIS 7 上运行( adLDAP在 Apache 上运行)。 Anyone had done anything similar, with success?
有人做过类似的事情,成功了吗?
Importing a whole library seems inefficient when all you need is essentially two lines of code...当您只需要两行代码时,导入整个库似乎效率低下......
$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
// log them in!
} else {
// error message
}
You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library.您会认为在 Active Directory 中简单地对用户进行身份验证将是一个在 PHP 中使用 LDAP 的非常简单的过程,而无需库。 But there are a lot of things that can complicate it pretty fast:
但是有很多事情会很快使它复杂化:
It's actually easier in most cases to use a LDAP library supporting the above.在大多数情况下,使用支持上述内容的 LDAP 库实际上更容易。 I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more).
我最终推出了自己的库来处理上述所有问题: LdapTools (嗯,不仅仅是用于身份验证,它还可以做更多事情)。 It can be used like the following:
它可以像下面这样使用:
use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;
$domain = (new DomainConfiguration('example.com'))
->setUsername('username') # A separate AD service account used by your app
->setPassword('password')
->setServers(['dc1', 'dc2', 'dc3'])
->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);
if (!$ldap->authenticate($username, $password, $message)) {
echo "Error: $message";
} else {
// Do something...
}
The authenticate call above will:上面的身份验证调用将:
There are other libraries to do this too (Such as Adldap2).还有其他库也可以执行此操作(例如 Adldap2)。 However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.
但是,我觉得有必要提供一些额外的信息,因为投票最多的答案实际上是一个安全风险,在没有完成输入验证并且不使用 TLS 的情况下依赖。
I do this simply by passing the user credentials to ldap_bind().我只是通过将用户凭据传递给 ldap_bind() 来做到这一点。
http://php.net/manual/en/function.ldap-bind.php http://php.net/manual/en/function.ldap-bind.php
If the account can bind to LDAP, it's valid;如果账号可以绑定LDAP,则有效; if it can't, it's not.
如果不能,那就不是。 If all you're doing is authentication (not account management), I don't see the need for a library.
如果您所做的只是身份验证(而不是帐户管理),那么我认为不需要图书馆。
我喜欢Zend_Ldap类,你可以在你的项目中只使用这个类,而不需要 Zend 框架。
PHP has libraries: http://ca.php.net/ldap PHP 有库: http ://ca.php.net/ldap
PEAR also has a number of packages: http://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0 PEAR 还有很多包: http ://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0
I haven't used either, but I was going to at one point and they seemed like they should work.我也没有使用过,但我打算在某个时候使用它们,它们似乎应该可以工作。
For those looking for a complete example check out http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/ .对于那些寻找完整示例的人,请查看http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/ 。
I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server (IIS6) and from a windows server 2012 enterprise running IIS 8.我已经测试了从 Windows Server 2003 Web Server (IIS6) 和运行 IIS 8 的 Windows Server 2012 企业到 Windows Server 2003 和 Windows Server 2008 R2 域控制器的连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.