使用 PHP、活动目录以及 IE/Firefox 对 ldap 进行身份验证
下面的代码根据 ldap 检查用户的凭据
<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ds)
{
$username = "[email protected]";
$upasswd = "pass";
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{print "Congratulations! $username is authenticated.";}
else
{print "Access Denied!";}
}
?>
我的用户使用 Firefox 和 IE,我知道这可以无缝地传递他们的 ActiveDirectory 凭据。
我只想检查 AD 组以查看是否在其中找到该用户名,如果是,则显示该页面,否则提示输入凭据。
由于我们的用户已经登录到域控制器,我想获取他们的用户名,检查是否在特定组中找到它,然后让他们进入,否则提示用户输入凭据。这怎么可能?
This code below checks for the user's credentials against ldap
<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;
$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");
if ($ds)
{
$username = "[email protected]";
$upasswd = "pass";
$ldapbind = ldap_bind($ds, $username, $upasswd);
if ($ldapbind)
{print "Congratulations! $username is authenticated.";}
else
{print "Access Denied!";}
}
?>
My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.
I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.
Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
事实上,考虑到您使用 IIS 作为 Web 服务器,您实际上不需要从 PP 代码与 Active Directory 服务器进行通信来实现您想要的目的。
这里的关键词是集成Windows身份验证 - 这就是措辞djn 寻找 。如果打开此选项(并且拒绝匿名访问),IIS 将根据所请求资源的 Active Directory 和 NTFS 文件系统权限检查提供的凭据。因此,您可以使用简单的 NTFS 访问控制机制来控制对文件的访问。
如果您的用户使用 IE,他们甚至不必输入其凭据,因为这是通过所谓的 自动完成的SPNEGO(简单且受保护的 GSSAPI 协商机制)及其底层机制 Kerberos 或 < a href="http://en.wikipedia.org/wiki/NTLMSSP" rel="nofollow noreferrer">NTLMSSP 取决于您的客户端和服务器能够处理的内容。
据我所知,Firefox 也能够自动将 Windows 登录凭据移交给您的服务器。您只需调整配置选项即可打开该功能 - 不知道此信息对于 Firefox 3.5.x 是否仍然有效。
如果您在 *nix 系统上运行 Apache,则必须借助某些服务器端模块来处理类似集成 Windows 身份验证的系统。可能的选项是(不知道它们实际上是否仍然维护或稳定):
mod_auth_ntlm_winbindmod_auth_kerbmod_ntlm对于 Windows 上的 Apache,有:
mod_ntlm(已过时;与上面的mod_ntlm不同)mod_auth_sspi(mod_ntlm的后继者)请注意,这些模块中的大多数似乎都很旧。
You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.
The key word here is Integrated Windows Authentication - that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.
If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberos or NTLMSSP depending on what your client and server is capable of processing.
As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. You ony have to adjust a configuration option to turn on that feature - don't know if this information is still valid with Firefox 3.5.x.
If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication-like system. Possible options are (don't know whether they are actually still maintained or stable):
mod_auth_ntlm_winbindmod_auth_kerbmod_ntlmFor Apache on Windows there are:
mod_ntlm(outdated; not the same asmod_ntlmabove)mod_auth_sspi(successor ofmod_ntlm)Please be aware that most of these modules seem to be very old.
现在正在进行类似的设置:我跳过了所有 LDAP 内容,让 Web 服务器在让客户端进入之前使用 AD 对客户端进行身份验证(抱歉,我不记得这在 M$ 替代宇宙中叫什么)。
如果客户端到达 PHP 脚本,他位于 AD,并且我在
$_SERVER["AUTH_USER"]和$_SERVER["LOGON_USER"]中都有他的用户名,否则他永远不会到达脚本。Working just now on a similar setup: I skipped all of that LDAP stuff having the web server authenticating the client with AD before letting him in (sorry, I can't remember what's this called in the M$ alternate universe).
If the client reaches the PHP script he's in AD and I have his username both in
$_SERVER["AUTH_USER"]and in$_SERVER["LOGON_USER"], otherwise he never gets to the script.