在使用 IE/Firefox 时使用 PHP、活动目录对 ldap 进行身份验证

2022-01-17 00:00:00 ldap active-directory php apache intranet

下面的代码会根据 ldap 检查用户的凭据

This code below checks for the user's credentials against ldap

<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;

$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");

if ($ds) 
{
    $username = "johndoe@domain.com";
    $upasswd = "pass";

    $ldapbind = ldap_bind($ds, $username, $upasswd);

    if ($ldapbind) 
        {print "Congratulations! $username is authenticated.";}
    else 
        {print "Access Denied!";}
}
?>

我的用户使用 Firefox 和 IE,我知道它们可以无缝传递他们的 ActiveDirectory 凭据.

My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.

我只想检查 AD 组,看看那里是否找到了该用户名,如果是,则显示页面,否则提示输入凭据.

I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.

由于我们的用户已经登录到域控制器,我想获取他们的用户名,检查是否在特定组中找到它,然后让他们进入,否则提示用户输入凭据.这怎么可能?

Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?

推荐答案

实际上你不需要通过你的 PP 代码与 Active Directory 服务器通信来实现你想要的,因为你使用 IIS 作为你的 web 服务器.

You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.

这里的关键词是 集成 Windows 身份验证 - 那就是djn 寻找的措辞.如果启用此选项(并且拒绝匿名访问),IIS 将根据 Active Directory 和所请求资源的 NTFS 文件系统权限检查提供的凭据.因此,您可以使用简单的 NTFS 访问控制机制来控制对文件的访问.

The key word here is Integrated Windows Authentication - that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.

如果您的用户使用 IE,他们甚至不必输入他们的凭据,因为这是通过所谓的 SPNEGO(简单且受保护的 GSSAPI 协商机制)及其底层机制 Kerberos 或 NTLMSSP 取决于您的客户端和服务器能够处理的内容.

If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberos or NTLMSSP depending on what your client and server is capable of processing.

据我所知,Firefox 也能够自动将 Windows 登录凭据移交给您的服务器.您只需将 配置选项 调整为启用该功能 - 不知道此信息在 Firefox 3.5.x 中是否仍然有效.

As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. You ony have to adjust a configuration option to turn on that feature - don't know if this information is still valid with Firefox 3.5.x.

如果您在 *nix 系统上运行 Apache,您将不得不求助于一些服务器端模块来处理类似 集成 Windows 身份验证的系统.可能的选项是(不知道它们实际上是否仍然保持或稳定):

If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication-like system. Possible options are (don't know whether they are actually still maintained or stable):

  • mod_auth_ntlm_winbind
  • mod_auth_kerb
  • mod_ntlm

对于 Windows 上的 Apache,有:

For Apache on Windows there are:

  • mod_ntlm(过时;不同上面的mod_ntlm)
  • mod_auth_sspi(<代码>mod_ntlm)

请注意,这些模块中的大多数似乎都已经很旧了.

Please be aware that most of these modules seem to be very old.

相关文章