使用 Kerberos 的 PHP Active Directory 身份验证
我目前正在将 CMS(用 PHP 开发)身份验证与 Active Directory 集成。这个特定的 Active Directory 只允许通过 Kerberos 或 ldaps:// 进行身份验证(但这最后一个不是最想要的,因为我必须使用绝对路径)。
我一直在网上搜索有关 PHP AD Kerberos 身份验证的任何内容,但一无所获。有人能指出我正确的方向吗?
提前致谢。
I'm currently integrating a CMS (developed in PHP) authentication with Active Directory. This specific Active Directory only allows authentication through Kerberos, or ldaps:// (but this last one is not the most wanted since I'll have to use absolute paths).
I've been searching the web for anything about PHP AD Kerberos Authentication, but found nothing. Can anyone point me in the right direction?
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您使用的是 Active Directory,则您的网络服务器可能是 IIS,它具有内置的 kerberos*.. 然后只需让浏览器 & Web 服务器处理身份验证并使用一些 PHP,例如:
$user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; if((false === $user) or ('' == $user)){ //Divert to incorrect password page.. //MSIE typically tries three times, Kerb/NTLM/Plain //FF will only try NTLM/Plain if configured for NTLM //Chrome.. won't work with this at all.. not that I have discovered. //If testing locally using Apache, user will be 0 }现在您可以使用 Kerberos 进行 SSO,这很有魅力。
*:称为“集成 Windows 身份验证”http://support.microsoft.com/kb/324274 并且必须通过将“安全区域”设置为“本地 Intranet”在浏览器中启用。如果 IIS 框实际上位于本地 Intranet 上,则可能会发生这种情况。但这取决于 SPN 以及用户框和 IIS 框的域以及任何信任关系..如果它位于域名/计算机名相同的单个域上,那么它应该可以工作。如果你正在聚集或发生任何有趣的事情,预计你会感到严重头痛,而不仅仅是普通头痛。如果您觉得需要,您可以编写 IE 设置的脚本/GPO。
希望您问的是其他问题。如果我祈祷您没有实现这一点,它会导致每个请求的整个身份验证过程。事实证明,这会减慢每个页面的加载速度.. 无论您实施多少聚合/黑客/变通方法.. 这只是一个坏主意,但是一旦您开始或告诉经理这一点,他们真的很喜欢它,因为这可以帮助他们节省时间再次登录..哦,他们仍然会抱怨速度,但是..
If you are using Active Directory, its possible your webserver is IIS, which has inbuilt kerberos*.. then just let the browser & webserver handle the authentication and use some PHP like:
$user = isset($_SERVER['AUTH_USER']) ? $_SERVER['AUTH_USER'] : false; if((false === $user) or ('' == $user)){ //Divert to incorrect password page.. //MSIE typically tries three times, Kerb/NTLM/Plain //FF will only try NTLM/Plain if configured for NTLM //Chrome.. won't work with this at all.. not that I have discovered. //If testing locally using Apache, user will be 0 }Now you can do SSO using Kerberos, works a charm.
*: Called "Integrated Windows Authentication" http://support.microsoft.com/kb/324274 and must be enabled in browser by setting "Security Zone" to "Local Intranet".. which may happen if the IIS box is actually on the Local Intranet.. but it depends on the SPN and the domain the User's box and IIS box and any trust relationships.. if its on a single domain with the domain name/machine name the same it should work. If you are clustering or anything fun, expect a major headache, rather than just a normal headache. You can script/GPO the IE settings if you feel the need..
Hopefully you are asking about something else.. If I prayed it would be that you didn't implement this, it causes the whole authentication process for every single request.. which turns out slows down every page load.. no matter how many aggregations/hacks/workarounds you implement.. it was just a bad idea, but once you start or tell a manager about it, they really love it because it saves them having to login again.. oh, they will still complain about speed, but..
不是免费软件解决方案 - 通过“Plexcel”关键字进行谷歌搜索
Not freeware solution - google by 'Plexcel' keyword
PHP 有一个 krb5 模块。它有一个 PECL 条目,但尚未打包。您可以在这里找到更多相关信息:
http:// /mbechler.eenterphace.org/blog/index.php?/archives/12-php_krb5-releases.html
There's a krb5 module for PHP. It has a PECL entry although no packaging yet. You can find out more about it here:
http://mbechler.eenterphace.org/blog/index.php?/archives/12-php_krb5-releases.html