如何从外部托管的网站进行身份验证以使用 AD?
以下是我想要实现的目标:我有一个基于 CMS 构建的网站,可以通过 LDAP 进行身份验证。我希望用户能够使用他们的 AD 用户名和密码来对网站进行身份验证。
基本上,我试图了解是否有一种好方法可以通过 LDAP 连接使 Active Directory 在外部可用。对于这种事情有哪些选择?
通过在线研究,我发现了一些在 DMZ 上设置 AD LDS 并使其与我们的内部域控制器进行复制的建议。看起来这可行,但我对 AD LDS 没有很深入的了解,所以我不确定。
有一些标准方法可以做到这一点吗?或者通常认为最佳实践是仅设置一个单独的用户数据库供外部使用?
Here's what I'm trying to accomplish: I have a website built on a CMS that can authenticate over LDAP. I would like for users to be able to use their AD usernames and passwords to authenticate to the website.
Basically I'm trying to understand if there is a good way to make Active Directory available externally through an LDAP connection. What options are there for this sort of thing?
Researching online I've found some suggestions to set up AD LDS on our DMZ and have it replicate with our internal Domain Controller. It seems like that would work, but I don't have a very deep understanding of AD LDS, so I'm not sure.
Is there some standard way of doing this? Or is it generally considered best practice to just set up a separate user database for external use?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您的 AD 域中已拥有所有“外部托管网站”用户,则您应该能够针对任何 DC 进行 LDAP 身份验证。
如果您不希望您的域中存在“外部托管网站”用户,请设置 LDS 实例。 (但我不会将其放在 DMZ 中。只需打开一条穿过防火墙到 LDS 实例的端口 636 的点对点路径即可。)
-jim
If you already have all your "externally hosted website" users in your AD domain, you should be able to do LDAP authentication against any DC.
If you do not want your "externally hosted website" users in your domain, then setup a LDS instance. (But I would not put it in the DMZ. Just open a point-to-point path through the firewall to the LDS instance for port 636.)
-jim