将 Active Directory 与第三方 LDAP 集成

发布于 2024-12-18 10:46:26 字数 373 浏览 0 评论 0原文

我们生产这些基于 Linux 的设备，并希望与 Active Directory 集成。

我想知道以下工作流程是否可行：

客户端安装我们的设备，将其连接到网络上。 Windows 系统管理员使用其标准工具集中的某些内容将我们的设备添加为具有有关权限和权限的自定义抽象的资源。

从设备的角度来看；通过系统管理员配置 AD 服务器（从而连接到它），Linux 设备将能够使用该服务器作为身份验证代理，而 Windows 系统管理员无需直接连接或配置该设备。

所以基本上，它是一个插件解决方案，可以通过 AD 服务器以某种方式连接和验证它，添加特定于我们技术的新抽象。

我没有为企业 IT 管理和配置 AD 的实际经验，所以我不知道这是否可行。感谢您的帮助！

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

避讳 2024-12-25 10:46:26

适用于所有 AD 情况的插入式解决方案实际上是不存在的！通常需要一些系统管理员的工作才能让它运行。

您的设备需要询问许多字段，例如服务器地址、服务器端口、使用 SSL、代理（应用程序名称和应用程序 DN）、代理密码、基本 DN 和代理模式。

然后，您的设备应用程序（Java 或 PHP 或其他应用程序）需要实现 LDAP 协议并仅进行身份验证检查。

我已经将企业 LDAP 与 Wordpress 和 Mediawiki 集成（在他们有插件之前），这非常简单，只是不是即插即用。

为此，我在 PHP 中使用了两个文件 - 一个带有设置，另一个带有身份验证功能。在任何 PHP 应用程序中包含这两个内容，只需传递输入的用户名和密码，它就会返回经过身份验证的用户信息，如姓名、电子邮件等......

这是我第一次让它全部工作时创建的测试页面。

<html><body>
<?php

# Matt Hart - PHP-based authentication against active directory
# Tested on Fedora Core 4 with Apache 2.0.54, PHP 4.3.11, OpenLDAP
# OpenSSL, php-ldap
# Working on RHEL4

echo "<br>Attempting Secure LDAP Connection<br>";

// $mh_ldaphost = "ldaps://directory.yoursite.com:636";
$mh_ldaphost = "ldaps://ldap.yoursite.com:636";
$mh_ldapconn = ldap_connect($mh_ldaphost) or die ("Failed");
echo "<br>Succeeded ... Testing app binding<br>";

# Bind using app credentials
$mh_appid = "yourappid"; // ****** Use your application id
$mh_dn = "uid=" . $mh_appid . ",ou=Apps,o=Yoursite.com";
$mh_bind = ldap_bind($mh_ldapconn, $mh_dn) or die("Failed");
echo "<br>Succeeded ... Get user corp ID</br>";

# Get the user's corporate ID
$mh_search = "ou=employees,ou=people,o=yoursite.com";
$mh_userid = "johnny"; // ****** User ID to find
$mh_filter = "(uid=" . $mh_userid . ")";
$mh_search = ldap_search($mh_ldapconn, $mh_search, $mh_filter) or die ("Failed");
echo "<br>Succeeded: ";
$mh_entries = ldap_get_entries($mh_ldapconn, $mh_search);
$mh_corpid = $mh_entries[0]["corpidfield"][0];
echo "CorpID=" . $mh_corpid;

# Authenticate the user
echo "<br><br>Authenticating...<br>";

$mh_authdn = "corpidfield=" . $mh_corpid . ",ou=employees,ou=people,o=yoursite.com";
$mh_authpass = "Depp1"; // ****** User password
$mh_authbind = ldap_bind($mh_ldapconn, $mh_authdn, $mh_authpass) or die("Failed");
die("Success");

?>
</body></html>

您还可以打印整个条目[]数组以查看可能返回的内容。

Plug in solutions that work in all AD situations are practically nonexistent! It's usually a bit of sysadmin work to get it going.

Your appliance needs to ask for a number of fields like server address, server port, use SSL, proxy agent (app name and app DN), proxy password, base DNs and proxy pattern.

Then your appliance app, Java or PHP or whatever, needs to implement the LDAP protocols and just do the authentication check.

I've integrated corporate LDAP with both Wordpress and Mediawiki (before they had plugins for it), and it was pretty straightforward, just not plug and play.

I have two files I use in PHP for this - one with settings, the other with the auth function. Include both of those in any PHP app and just pass the input username and password, and it returns authenticated with info about the user like name, email, etc...

Here's a test page I created when I first got it all working.

<html><body>
<?php

# Matt Hart - PHP-based authentication against active directory
# Tested on Fedora Core 4 with Apache 2.0.54, PHP 4.3.11, OpenLDAP
# OpenSSL, php-ldap
# Working on RHEL4

echo "<br>Attempting Secure LDAP Connection<br>";

// $mh_ldaphost = "ldaps://directory.yoursite.com:636";
$mh_ldaphost = "ldaps://ldap.yoursite.com:636";
$mh_ldapconn = ldap_connect($mh_ldaphost) or die ("Failed");
echo "<br>Succeeded ... Testing app binding<br>";

# Bind using app credentials
$mh_appid = "yourappid"; // ****** Use your application id
$mh_dn = "uid=" . $mh_appid . ",ou=Apps,o=Yoursite.com";
$mh_bind = ldap_bind($mh_ldapconn, $mh_dn) or die("Failed");
echo "<br>Succeeded ... Get user corp ID</br>";

# Get the user's corporate ID
$mh_search = "ou=employees,ou=people,o=yoursite.com";
$mh_userid = "johnny"; // ****** User ID to find
$mh_filter = "(uid=" . $mh_userid . ")";
$mh_search = ldap_search($mh_ldapconn, $mh_search, $mh_filter) or die ("Failed");
echo "<br>Succeeded: ";
$mh_entries = ldap_get_entries($mh_ldapconn, $mh_search);
$mh_corpid = $mh_entries[0]["corpidfield"][0];
echo "CorpID=" . $mh_corpid;

# Authenticate the user
echo "<br><br>Authenticating...<br>";

$mh_authdn = "corpidfield=" . $mh_corpid . ",ou=employees,ou=people,o=yoursite.com";
$mh_authpass = "Depp1"; // ****** User password
$mh_authbind = ldap_bind($mh_ldapconn, $mh_authdn, $mh_authpass) or die("Failed");
die("Success");

?>
</body></html>

You can also print the whole entries[] array to see what all it is possible to return.

回复收藏 0 原文

~没有更多了~