通过 Active Directory 使用 LDAP 在 PHP 中进行身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/171519/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Authenticating in PHP using LDAP through Active Directory
提问by DV.
I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAPdoes it on Apache). Anyone had done anything similar, with success?
我正在寻找一种通过 LDAP 使用 PHP 对用户进行身份验证的方法(Active Directory 作为提供者)。理想情况下,它应该能够在 IIS 7 上运行(adLDAP在 Apache 上运行)。有没有人做过类似的事情,成功了?
- Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.
- 编辑:我更喜欢一个带有准备好的代码的库/类......当有人已经这样做时发明轮子是愚蠢的。
回答by ceejayoz
Importing a whole library seems inefficient when all you need is essentially two lines of code...
当您只需要两行代码时,导入整个库似乎效率低下...
$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
// log them in!
} else {
// error message
}
回答by ChadSikorra
You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:
您会认为在 Active Directory 中简单地对用户进行身份验证将是一个非常简单的过程,在 PHP 中使用 LDAP 而无需库。但是有很多事情会使它很快变得复杂:
- You must validate input. An empty username/password would pass otherwise.
- You should ensure the username/password is properly encoded when binding.
- You should be encrypting the connection using TLS.
- Using separate LDAP servers for redundancy in case one is down.
- Getting an informative error message if authentication fails.
- 您必须验证输入。否则将通过空的用户名/密码。
- 您应该确保在绑定时正确编码用户名/密码。
- 您应该使用 TLS 加密连接。
- 使用单独的 LDAP 服务器作为冗余,以防其中一台服务器宕机。
- 如果身份验证失败,则获取信息性错误消息。
It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools(Well, not just for authentication, it can do much more). It can be used like the following:
在大多数情况下,使用支持上述内容的 LDAP 库实际上更容易。我最终最终推出了自己的库来处理上述所有问题:LdapTools(嗯,不仅用于身份验证,它还可以做更多的事情)。它可以像下面这样使用:
use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;
$domain = (new DomainConfiguration('example.com'))
->setUsername('username') # A separate AD service account used by your app
->setPassword('password')
->setServers(['dc1', 'dc2', 'dc3'])
->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);
if (!$ldap->authenticate($username, $password, $message)) {
echo "Error: $message";
} else {
// Do something...
}
The authenticate call above will:
上面的身份验证调用将:
- Validate that neither the username or password is empty.
- Ensure the username/password is properly encoded (UTF-8 by default)
- Try an alternate LDAP server in case one is down.
- Encrypt the authentication request using TLS.
- Provide additional information if it failed (ie. locked/disabled account, etc)
- 验证用户名或密码都不为空。
- 确保用户名/密码正确编码(默认为 UTF-8)
- 尝试备用 LDAP 服务器以防万一。
- 使用 TLS 加密身份验证请求。
- 如果失败,请提供其他信息(即锁定/禁用帐户等)
There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.
还有其他库也可以做到这一点(例如 Adldap2)。然而,我觉得有必要提供一些额外的信息,因为最高投票的答案实际上是一个安全风险,在没有完成输入验证和不使用 TLS 的情况下。
回答by Scott Reynen
I do this simply by passing the user credentials to ldap_bind().
我只是通过将用户凭据传递给 ldap_bind() 来做到这一点。
http://php.net/manual/en/function.ldap-bind.php
http://php.net/manual/en/function.ldap-bind.php
If the account can bind to LDAP, it's valid; if it can't, it's not. If all you're doing is authentication (not account management), I don't see the need for a library.
如果账号可以绑定LDAP,则有效;如果不能,那就不是。如果您所做的只是身份验证(而不是帐户管理),那么我认为不需要库。
回答by CMS
回答by Darryl Hein
PHP has libraries: http://ca.php.net/ldap
PHP 有库:http: //ca.php.net/ldap
PEAR also has a number of packages: http://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0
PEAR 还有很多包:http: //pear.php.net/search.php?q=ldap&in=packages& x=0&y=0
I haven't used either, but I was going to at one point and they seemed like they should work.
我也没有使用过,但我曾经打算使用它们,它们似乎应该起作用。
回答by Joe Meyer
For those looking for a complete example check out http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/.
对于那些寻找完整示例的人,请查看http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/。
I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server (IIS6) and from a windows server 2012 enterprise running IIS 8.
我已经测试了从 Windows Server 2003 Web Server (IIS6) 和运行 IIS 8 的 Windows Server 2012 企业连接到 Windows Server 2003 和 Windows Server 2008 R2 域控制器的情况。
![php $id = $_GET['id'] : 变量不起作用](/res/img/loading.gif)