apache 在使用 IE/Firefox 时使用 PHP、活动目录对 ldap 进行身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1527735/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Authenticate against ldap using PHP, active directory, while using IE/Firefox
提问by Brad
This code below checks for the user's credentials against ldap
下面的代码根据 ldap 检查用户的凭据
<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ds)
{
$username = "[email protected]";
$upasswd = "pass";
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{print "Congratulations! $username is authenticated.";}
else
{print "Access Denied!";}
}
?>
My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.
我的用户使用 Firefox 和 IE,我知道它们可以无缝地传递他们的 ActiveDirectory 凭据。
I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.
我只想检查 AD 组以查看是否在其中找到了该用户名,如果是,则显示该页面,否则提示输入凭据。
Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?
由于我们的用户已经登录到域控制器,我想获取他们的用户名,检查是否在特定组中找到它,然后让他们进入,否则提示用户输入凭据。这怎么可能?
回答by Stefan Gehrig
You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.
鉴于您使用 IIS 作为 Web 服务器这一事实,您实际上不需要通过 PP 代码与 Active Directory 服务器通信来实现您想要的。
The key word here is Integrated Windows Authentication- that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.
这里的关键词是集成 Windows 身份验证- 这就是 djn寻找的措辞。如果启用此选项(并且拒绝匿名访问),IIS 将根据 Active Directory 和所请求资源的 NTFS 文件系统权限检查提供的凭据。因此,您可以使用简单的 NTFS 访问控制机制来控制对文件的访问。
If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO(Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberosor NTLMSSPdepending on what your client and server is capable of processing.
如果您的用户使用 IE,他们甚至不必输入他们的凭据,因为这是通过所谓的SPNEGO(简单且受保护的 GSSAPI 协商机制)及其底层机制Kerberos或NTLMSSP 自动完成的,具体取决于您的客户端和服务器的功能加工。
As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. You ony have to adjust a configuration optionto turn on that feature - don't know if this information is still valid with Firefox 3.5.x.
据我所知,Firefox 也能够自动将 Windows 登录凭据移交给您的服务器。您只需调整配置选项即可打开该功能 - 不知道此信息是否对 Firefox 3.5.x 仍然有效。
If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication-like system. Possible options are (don't know whether they are actually still maintained or stable):
如果你在 *nix 系统上运行 Apache,你将不得不求助于一些服务器端模块来处理一个类似集成 Windows 身份验证的系统。可能的选项是(不知道它们是否实际上仍然维护或稳定):
For Apache on Windows there are:
对于 Windows 上的 Apache,有:
mod_ntlm(outdated; not the same asmod_ntlmabove)mod_auth_sspi(successor ofmod_ntlm)
mod_ntlm(过时;与mod_ntlm上述不同)mod_auth_sspi(的继任者mod_ntlm)
Please be aware that most of these modules seem to be very old.
请注意,这些模块中的大多数似乎都很旧。
回答by djn
Working just now on a similar setup: I skipped all of that LDAP stuff having the web server authenticating the client with AD before letting him in (sorry, I can't remember what's this called in the M$ alternate universe).
刚刚在类似的设置上工作:我跳过了所有 LDAP 内容,让 Web 服务器在让 AD 进入客户端之前对客户端进行身份验证(抱歉,我不记得在 M$ 替代宇宙中这叫什么)。
If the client reaches the PHP script he's in AD and I have his username both in $_SERVER["AUTH_USER"]and in $_SERVER["LOGON_USER"], otherwise he never gets to the script.
如果客户端访问他在 AD 中的 PHP 脚本,并且我在$_SERVER["AUTH_USER"]和 中都有他的用户名$_SERVER["LOGON_USER"],否则他永远不会访问脚本。
