单点登录 (SSO) 如何使用 PHP + Apache 针对 Active Directory 进行透明身份验证?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4259768/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?
提问by Keyne Viana
I need to get more understanding about SSO on a web app against Active Directory.
我需要更多地了解针对 Active Directory 的 Web 应用程序上的 SSO。
For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdapand so on. But in this case, the user still need to type the login twice.
For example: Authenticate against Active Directory/ISA from php
对于简单地要求用户登录以在 AD 上进行身份验证,我知道我可以使用一些库,例如Zend_Ldap,adLdap等等。但在这种情况下,用户仍然需要输入两次登录信息。例如:从 php 对 Active Directory/ISA 进行身份验证
Afaik, to use SSOfor transparent login, I need to implement an extra apache module.
For example:
How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?
Afaik,要使用SSOfor transparent login,我需要实现一个额外的 apache 模块。例如:
如何使用 Microsoft AD 为内部 PHP 应用程序实现单点登录 (SSO)?
Authenticate against ldap using PHP, active directory, while using IE/Firefox
在使用 IE/Firefox 时使用 PHP、活动目录对 ldap 进行身份验证
First I need to know which apache module I need to use and why.
In this articlefor example there are three: mod_ntlm, mod_auth_kerband Apache2:AuthenNTLM.
And the thosed one was Apache2:AuthenNTLM
首先我需要知道我需要使用哪个 apache 模块以及为什么。例如,在本文中,有三个:mod_ntlm、mod_auth_kerb和Apache2:AuthenNTLM。那个是Apache2:AuthenNTLM
In the questiondescribed above the accepted answer was for mod_auth_sspi.
在上述问题中,接受的答案是 for mod_auth_sspi。
When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap+ kerberos+ "a few other miscellaneous bits and pieces".
在谈到Active Directory的我有了这个答案,它描述了Active Directory作为的实现ldap+ kerberos+“一些其他杂项的点点滴滴”。
I'm very confused about all these names, since I've nerver worked with it.
Can someone clarify it to me? (ldap, kerberos, ntlm, sspietc)
我对所有这些名字感到非常困惑,因为我已经神经处理过它。有人可以向我澄清一下吗?(ldap,kerberos,ntlm,sspi等等)
Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?
最后,有人可以指出我的应用程序如何识别经过身份验证的用户(来自 AD)。是不是只是通过用户名传递了一些想法$_SERVER['REMOTE_USER']?有密码发送吗?浏览器如何发送这些额外的标头?每个工作站是否需要进行本地配置?
回答by kswan
Authentication is a confusing mess. Here is some background.
身份验证是一团混乱。这是一些背景。
LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).
NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.
Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.
LDAP:LDAP 是用于传达用户目录信息的协议。它还可以处理身份验证,但它不是无缝的 (SSO)。
NTLM:NTLM 是 Microsoft 内置于 IE、ActiveDirectory 和 IIS 中的 SSO。NTLM 的原始版本非常不安全,因此实施了 NTLMv2 以修复 NTLM 中的安全问题。默认情况下,原始 NTLM 在 Windows Vista 及更高版本中处于禁用状态。
Kerberos:Kerberos 是一种非常安全的开放标准,旨在提供无缝 (SSO) 身份验证。ActiveDirectory 支持某个版本的 Kerberos。
As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.
至于可用于实现这些协议的 Apache 模块,您提供了一个很好的列表。
mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).
mod_auth_kerb: This is an Apache module that implements Kerberos.
mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).
Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.
mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.
mod_ntlm:这是一个在 Linux 上运行并支持原始 NTLM(不是 NTLMv2)的 Apache 模块。
mod_auth_kerb:这是一个实现 Kerberos 的 Apache 模块。
mod_auth_sspi:这是一个适用于 Windows 的 Apache 模块,支持原始 NTLM(不是 NTLMv2)。
Apache2:AuthenNTLM:这是一个处理 NTLM 的 Perl 模块。我不知道它是否支持 NTLM 和 NTLMv2。
mod_auth_ntlm_winbind:这是一个与 Samba 身份验证接口的 Apache 模块。
回答by troelskn
Single-Sign-On and Shared-Authentication are related, but different, concepts. I think you may be confusing them. If you want true SSO, look in to CAS.
单点登录和共享身份验证是相关但不同的概念。我想你可能会混淆它们。如果您想要真正的 SSO,请查看CAS。
LDAP and AD are protocols for storing users and organisation data. They are not useful for doing the actual authentication over web, but you can use them behind an SSO (Such as CAS), as the "database".
LDAP 和 AD 是用于存储用户和组织数据的协议。它们对于通过 Web 进行实际身份验证没有用,但您可以在 SSO(例如 CAS)后面使用它们作为“数据库”。
