当前位置:theitroad>使用 PHP 中的 LDAP 对用户进行身份验证

使用 PHP 中的 LDAP 对用户进行身份验证

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/546438/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-24 23:03:06  来源:igfitidea点击:

Authenticating user using LDAP from PHP

phpauthenticationldap

提问by Stefan Gehrig

My project is to make a module enrollment system for our university. So I contacted the IT people in my university for details to authenticate the students into the system. We are developing the system using the existing university login. They gave me some LDAP information, I don't know the usage of that. I'm using PHP,Mysql on an Apacha server. How can I authenticate a user logging into my system, given his userid and password with the LDAP information.

我的项目是为我们大学制作一个模块招生系统。所以我联系了我大学的 IT 人员了解详细信息,以验证学生进入系统的身份。我们正在使用现有的大学登录来开发系统。他们给了我一些 LDAP 信息,我不知道它的用途。我在 Apacha 服务器上使用 PHP、Mysql。给定用户 ID 和密码以及 LDAP 信息,我如何验证登录到我的系统的用户。

Given below is the LDAP information(i have changed the domain name etc.)

下面给出的是 LDAP 信息(我已经更改了域名等)

LDAP information for blueroom.ac.uk domain

blueroom.ac.uk 域的 LDAP 信息 

LDAP Host : ad.blueroom.ac.uk

LDAP port no: 389

BASE DN : ou=bluebird, dc=bluebird, dc=ac, dc=my

LDAP account to bind : cn = kikdap, ou=servacc, dc=bluebird,dc=ac,dc=uk

LDAP account password : ********

Attribute : sAMAccountName

回答by Stefan Gehrig

The general procedure would be (relevant ext/ldap php commands in brackets):

一般程序是(括号中的相关 ext/ldap php 命令):

  1. connect to LDAP server using the "LDAP Host" and "LDAP port no" (ldap_connect()) and set the correct connection options (ldap_set_option()), especially LDAP_OPT_PROTOCOL_VERSIONand LDAP_OPT_REFERRALS

  2. bind to LDAP server using the "LDAP account to bind" and "LDAP account password" (ldap_bind()) - if you're authenticating against an Active Directory server you can directly use the username and password from the login page and skip all the following steps.

  3. search the tree for a matching user entry/object by specifing the "BASE DN" and the appropriate LDAP filter - most likely something like (&(objectClass=user)(sAMAccountName=%s))where %sshould be replaced by the username to be authenticated (ldap_search())

  4. check if the number of returned entries is 1 (if <> 1 then something has gone wrong, e.g. no user found or multiple users found)

  5. retrive the distinguished name (DN) of this single entry (ldap_get_dn())

  6. use the DN found in the last step to try to bind to the LDAP server with the password given at the authentication page (ldap_bind())

  7. if the bind succeeds then everything is OK, if not, most likely the password is wrong

  1. 使用“LDAP 主机”和“LDAP 端口号”(ldap_connect())连接到 LDAP 服务器并设置正确的连接选项(ldap_set_option()),尤其是LDAP_OPT_PROTOCOL_VERSIONLDAP_OPT_REFERRALS

  2. 使用“要绑定的 LDAP 帐户”和“LDAP 帐户密码”( ldap_bind())绑定到 LDAP 服务器- 如果您针对 Active Directory 服务器进行身份验证,则可以直接使用登录页面中的用户名和密码并跳过所有以下步骤。

  3. 通过指定“BASE DN”和适当的 LDAP 过滤器,在树中搜索匹配的用户条目/对象 - 很可能类似于(&(objectClass=user)(sAMAccountName=%s))where%s应该替换为要进行身份验证的用户名(ldap_search()

  4. 检查返回的条目数是否为 1(如果 <> 1 则出现问题,例如未找到用户或找到多个用户)

  5. 检索此单个条目的专有名称 (DN) ( ldap_get_dn())

  6. 使用在最后一步中找到的 DN 尝试使用身份验证页面 ( ldap_bind()) 中给出的密码绑定到 LDAP 服务器

  7. 如果绑定成功,则一切正常,否则,很可能密码错误

It's really not as hard as it sounds at first. Generally I'd propose to use some sort of standard library for authenticating against a LDAP server such as the Net_LDAP2PEAR package or Zend_Ldapout of the Zend Framework. I have no experience with actually using Net_LDAP2(although I know the code quite well) but Zend_Ldapworks very well against Active Directory servers or ADAMS servers (which is obviously what you're working with).

这真的不像一开始听起来那么难。一般来说,我会建议使用某种针对LDAP服务器认证标准库的,如Net_LDAP2PEAR包或Zend_Ldap出的Zend框架。我没有实际使用的经验Net_LDAP2(虽然我非常了解代码),但Zend_Ldap在 Active Directory 服务器或 ADAMS 服务器(这显然是您正在使用的服务器)上运行良好。

This will do the trick using Zend_Ldap:

这将使用以下方法解决问题Zend_Ldap

$options = array(
    'host'                 => 'ad.blueroom.ac.uk',
    'useStartTls'          => true,
    'accountDomainName'    => 'blueroom.ac.uk',
    'accountCanonicalForm' => 4,
    'baseDn'               => 'ou=bluebird,dc=bluebird,dc=ac,dc=my',
);
$ldap = new Zend_Ldap($options);
try {
    $ldap->bind('user', 'password');
} catch (Zend_Ldap_Exception $e) {
    // something failed - inspect $e
}
// bind successful
$acctname = $ldap->getCanonicalAccountName('user', Zend_Ldap::ACCTNAME_FORM_DN);

回答by Emil Sit

You might try http://code.activestate.com/recipes/101525/while referring to http://us3.php.net/ldapand other results from a Google search for [php ldap authentication].

您可以尝试http://code.activestate.com/recipes/101525/同时参考http://us3.php.net/ldap和其他来自 Google 搜索[php ldap authentication] 的结果

回答by PHPst

@Stephen provided good points. Here is my plain PHP code to authenticate using AD:

@Stephen 提供了很好的观点。这是我使用 AD 进行身份验证的纯 PHP 代码:

  1. first you need to know this parameters: server host, user domain (you need also base dn if you want query AD).

  2. use the following code:

    $ldap = ldap_connect($host); // e.g. 165.5.54.6 or an URL
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ldap, $username.'@'.$userDomain, $passwrod);

if($bind){
// successful authentication. 
}
  1. 首先你需要知道这个参数:服务器主机,用户域(如果你想查询AD,你还需要base dn)。

  2. 使用以下代码:

    $ldap = ldap_connect($host); // e.g. 165.5.54.6 or an URL
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($ldap, $username.'@'.$userDomain, $passwrod);

if($bind){
// successful authentication. 
}

回答by damko

you could use http://pear.php.net/package/Net_LDAP2/docsit's nice and works.

你可以使用http://pear.php.net/package/Net_LDAP2/docs,它很好用。

Example of connection taken by the doc:

文档采用的连接示例:

// Inclusion of the Net_LDAP2 package:
require_once 'Net/LDAP.php';

// The configuration array:
$config = array (
    'binddn'    => 'cn=admin,ou=users,dc=example,dc=org',
    'bindpw'    => 'password',
    'basedn'    => 'dc=example,dc=org',
    'host'      => 'ldap.example.org'
);

// Connecting using the configuration:
$ldap = Net_LDAP2::connect($config);

// Testing for connection error
if (PEAR::isError($ldap)) {
    die('Could not connect to LDAP-server: '.$ldap->getMessage());
}

相关推荐

php 获取带有绑定参数的 PDO 查询字符串而不执行它

php 获取带有绑定参数的 PDO 查询字符串而不执行它

php 缺少扩展 mysqli,phpmyadmin 不起作用

php 缺少扩展 mysqli,phpmyadmin 不起作用

php - 如何强制下载文件?

php - 如何强制下载文件?

如何使用 PHP 从字符串中删除子字符串?

如何使用 PHP 从字符串中删除子字符串?

相关推荐
最近更新
标签