使用活动目录对Intranet站点上的用户进行身份验证 [英] Using active directory to authenticate users on intranet site
问题描述
我有一个建立的内部网"站点,该站点具有自己的登录系统(用户注册为新用户,并在其上使用用户名/密码登录该站点).但是,现在我想扩展它,并让Intranet站点使用现有的ActiveDirectory进行身份验证.这就是我一直在寻找的东西-
I have an 'intranet' site that I have built, which has a login system of its own (users register as new users, and use the username/password thereon to login to the site). However, now I want to extend it, and have the intranet site use the existing ActiveDirectory for authentication. This is what I am looking for, going forward -
当用户访问此Intranet站点(http://intranetsite/mySite)时,将根据活动目录验证用户的域凭据,如果该用户的凭据与AD匹配,则会向用户显示Intranet站点的主页.
When a user access this intranet site (http://intranetsite/mySite), the user's domain credentials are validated against the active directory, and if the user's credentials match AD, the user is then presented the main page of the intranet site.
我是AD的新手,并且不知道如何进行此配置.我的Intranet网站是围绕PHP构建的,并在应用程序服务器上使用Apache. AD位于另一台IIS服务器上.
I am new to AD, and do not know how to go about this configuration. My intranet site is built around PHP and uses Apache on the application server; the AD is on a different IIS server.
我需要什么信息,我应该将该信息放在哪里(进入我的网站?htaccess?在其他地方?)以便可以使用AD身份验证?仅仅是配置"就足够了,还是我需要编写用于此身份验证的显式PHP代码?
What information do I need, and where do I put this information (into my site? htaccess? anywhere else?) so that I can use AD authentication? Is just 'configuration' enough, or do I need to write explicit PHP code for this authentication?
非常感谢任何指针.
推荐答案
如果您仅在寻找身份验证,而仅此而已,那么可能只需要几行代码就可以逃脱.
If you are looking only for authentication and nothing else, you may get away with only a few lines of code.
首先,请确保您已在PHP中启用 ldap .
First, ensure you have ldap enabled in your php.
这是纯PHP实现:
(请注意,以这种方式进行操作时,应确保您确实有用户的用户名和密码-匿名绑定对于AD几乎总是返回true)
Here's pure php implementation:
(note that when doing it this way you should ensure that you DO HAVE a username and a password from a user - anonymous binding will almost always return true for AD)
$link = ldap_connect('domain.com'); // Your domain or domain server
if(! $link) {
// Could not connect to server - handle error appropriately
}
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
// Now try to authenticate with credentials provided by user
if (! ldap_bind($link, 'username@domain.com', 'SomeSecret')) {
// Invalid credentials! Handle error appropriately
}
// Bind was successful - continue
如果您希望使用Active Directory做更多有趣的事情,例如提取一些有关当前登录用户的信息,我强烈建议您使用框架为您完成繁重的工作.如前所述,adLDAP是一个不错的选择,如果您运行PHP 5.4,我不敢推荐 AD-X 我正在积极开发的库(您可以通过Composer安装它).
If you expect to do more fun stuff with Active Directory like pulling some information about currently logged in user I strongly recommend using a framework to do the heavy lifting for you. As already mentioned, adLDAP is a good one and if you run PHP 5.4 I dare recommending the AD-X library which I actively develop (you can install it via Composer).
使用AD-X库,您可以使用以下代码来验证用户的凭据:
With the AD-X library, you can verify a user's credentials using this code:
try {
$link = new ADX\Core\Link('domain.com'); // Establish connection to AD
$link->bind('username@domain.com', 'SomeSecret'); // Authenticate user
}
catch (ADX\Core\ServerUnreachableException $e) {
// Unable to connect to server, handle error
}
catch (ADX\Core\InvalidCredentialsException $e) {
// Invalid credentials supplied
}
catch (Exception $e) {
// Something else happened, check the exception and handle appropriately
}
// Successfully authenticated if no exception has been thrown
随时选择最适合您的产品.但是,如果您希望做的事多于身份验证,我强烈建议您为ldap工作使用一个库-如果事情无法按预期进行,它将为您节省大量时间,并可能使您沮丧.
Feel free to choose which suits you best. However, if you expect to do more than authenticate I strongly suggest you use a library for the ldap work - it will save you a lot of time and possibly frustration when things do not work as you would expect them to.
此外,如果有疑问,您可以/应该使用哪些信息进行连接和身份验证,请随时检查我的
Also, if in doubt what information you can/should use to connect and to authenticate feel free to check my previous answer on this topic.
这篇关于使用活动目录对Intranet站点上的用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
