我在让 phpBB 通过我们的 Active Directory 进行身份验证时遇到问题
我非常确定我使用的设置是正确的,因此所有可能的事情都可能是错误的,我应该检查这些问题,以便我可以使用 Active Directory 进行身份验证。
I am pretty sure that the settings that I am using are correct, so all possible things can be wrong which I should check out so that I can make authentication with our Active Directory work.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
尝试测试 PHP 是否可以连接到活动目录
您的 $config['ldap_user'] 和 $config['ldap_uid'] 有什么? 您想要将 $config['ldap_uid'] 设置为 sAMAccountName
Try test if PHP can connect to active directory
What do you have has your $config['ldap_user'] and $config['ldap_uid'] ? You want to set $config['ldap_uid'] to sAMAccountName
@grom...谢谢,但是,是的,PHP 工作得很好。 我在同一台服务器上安装了 WordPress 和 MediaWiki,并且它们都可以很好地针对同一活动目录进行身份验证。
@grom... thanks but, yes PHP is working just fine. I have a WordPress and a MediaWiki installation on the same server, and they are both authenticating against the same active directory just fine.
phpBB3 没有提供太多有关如何启用 LDAPS 的信息,所以我希望这对某人有所帮助...
请注意,您可能需要在基本安装后立即清除所有 phpBB3 cookie。 这将允许管理员用户查看 ACP。 一旦您能够以管理员身份持续登录 phpBB3,并希望启用 LDAPS 身份验证,请执行以下操作(使用 AD 和 Debian Stretch 进行测试):
从 AD/LDAP 管理员处获取根 TLS 证书,或获取它自己用类似的东西:
# openssl s_client -showcerts -connect google.com:443请参阅 MediaWiki 文档,因为 phpBB3 文档非常稀疏:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements
将名称为 .crt 的 PEM 格式的证书安装到操作系统证书存储中。 对于基于 Debian 的系统,这将是
/usr/local/share/ca-certificates然后运行 # dpkg-reconfigure ca-certificatesConfigure
/etc /ldap/ldap.conf添加到您的本地设置。 请注意,端口 3268 可能没有像 AD 中的 686 那样的内置限制。 YMMV。创建一个特殊的AD用户进行绑定。 授予其查找属性的权限,但不得更改属性。 确认凭据适用于 ldapsearch。 例如: ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b "dc=mydomain,dc=com" searchString
使用以下命令创建 phpBB3 用户与上述AD绑定用户相同的用户名。 作为phpBB3管理员,授予AD绑定用户Founder权限。
使用不同的浏览器,以绑定用户身份登录 phpBB3,然后将该用户设置为 LDAP 身份验证。 (如上篇文章所述)。
测试一下! 注销 phpBB3,然后使用 LDAP/AD 凭据再次登录。
如果这不起作用,PHP 开发文档非常好,并提供了许多带有示例和示例代码的注释供您尝试。
phpBB3 does not offer much info about how to enable LDAPS, so I hope this helps someone...
Note that you may need to actually clear all phpBB3 cookies immediately after the base installation. This will allow the admin user to see the ACP. Once you are able to consistently log into phpBB3 as an admin, and want to enable LDAPS authentication, do the following (tested with AD and Debian stretch):
Obtain the root TLS certificate from your AD/LDAP Administrator, or get it yourself with something like:
# openssl s_client -showcerts -connect google.com:443See the MediaWiki documentation, as phpBB3 docs are quite sparse:
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements
Install the PEM formatted certificate with a .crt name into your OS certificate store. For Debian based systems, that would be
/usr/local/share/ca-certificatesthen run# dpkg-reconfigure ca-certificatesConfigure
/etc/ldap/ldap.confto your local settings. Note that port 3268 may not have in-built limits like 686 with AD. YMMV.Create a special AD user for binding. Give it permissions to lookup, but not to change, attributes. Confirm that the credentials work with ldapsearch. eg:
ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b "dc=mydomain,dc=com" searchStringCreate a phpBB3 user with the same username as the above AD bind user. As the phpBB3 admin, grant the AD bind user Founder permissions.
Using a different browser, log into phpBB3 as the binduser, then set up the LDAP Authentication as that user. (As noted in the above post).
Test it! Logout of phpBB3 and then login again using the LDAP/AD credentials.
If that does not work, the PHP dev documentation is quite good, and offers many comments with examples and example code to try.
有一个技巧可以使用 phpbb3 进行 activeDirectory 身份验证。 您应该:
顺便说一下,您从 phpBB 收到什么错误消息?
There is a trick to do activeDirectory auth with phpbb3. You should:
By the way, what error messages do you get from phpBB?