使用活动目录对Intranet站点上的用户进行身份验证 [英] Using active directory to authenticate users on intranet site
问题描述
我有一个建立的内部网"站点,该站点具有自己的登录系统(用户注册为新用户,并在其上使用用户名/密码登录该站点).但是,现在我想扩展它,并让Intranet站点使用现有的ActiveDirectory进行身份验证.这就是我一直在寻找的东西-
I have an 'intranet' site that I have built, which has a login system of its own (users register as new users, and use the username/password thereon to login to the site). However, now I want to extend it, and have the intranet site use the existing ActiveDirectory for authentication. This is what I am looking for, going forward -
当用户访问此Intranet站点(http://intranetsite/mySite
)时,将根据活动目录验证用户的域凭据,如果该用户的凭据与AD匹配,则会向用户显示Intranet站点的主页.
When a user access this intranet site (http://intranetsite/mySite
), the user's domain credentials are validated against the active directory, and if the user's credentials match AD, the user is then presented the main page of the intranet site.
我是AD的新手,并且不知道如何进行此配置.我的Intranet网站是围绕PHP构建的,并在应用程序服务器上使用Apache. AD位于另一台IIS服务器上.
I am new to AD, and do not know how to go about this configuration. My intranet site is built around PHP and uses Apache on the application server; the AD is on a different IIS server.
我需要什么信息,我应该将该信息放在哪里(进入我的网站?htaccess?在其他地方?)以便可以使用AD身份验证?仅仅是配置"就足够了,还是我需要编写用于此身份验证的显式PHP代码?
What information do I need, and where do I put this information (into my site? htaccess? anywhere else?) so that I can use AD authentication? Is just 'configuration' enough, or do I need to write explicit PHP code for this authentication?
非常感谢任何指针.
推荐答案
如果您仅在寻找身份验证,而仅此而已,那么可能只需要几行代码就可以逃脱.
If you are looking only for authentication and nothing else, you may get away with only a few lines of code.
首先,请确保您已在PHP中启用 ldap .
First, ensure you have ldap enabled in your php.
这是纯PHP实现:
(请注意,以这种方式进行操作时,应确保您确实有用户的用户名和密码-匿名绑定对于AD几乎总是返回true)
Here's pure php implementation:
(note that when doing it this way you should ensure that you DO HAVE a username and a password from a user - anonymous binding will almost always return true for AD)
$link = ldap_connect('domain.com'); // Your domain or domain server
if(! $link) {
// Could not connect to server - handle error appropriately
}
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
// Now try to authenticate with credentials provided by user
if (! ldap_bind($link, 'username@domain.com', 'SomeSecret')) {
// Invalid credentials! Handle error appropriately
}
// Bind was successful - continue
如果您希望使用Active Directory做更多有趣的事情,例如提取一些有关当前登录用户的信息,我强烈建议您使用框架为您完成繁重的工作.如前所述,adLDAP是一个不错的选择,如果您运行PHP 5.4,我不敢推荐 AD-X 我正在积极开发的库(您可以通过Composer安装它).
If you expect to do more fun stuff with Active Directory like pulling some information about currently logged in user I strongly recommend using a framework to do the heavy lifting for you. As already mentioned, adLDAP is a good one and if you run PHP 5.4 I dare recommending the AD-X library which I actively develop (you can install it via Composer).
使用AD-X库,您可以使用以下代码来验证用户的凭据:
With the AD-X library, you can verify a user's credentials using this code:
try {
$link = new ADX\Core\Link('domain.com'); // Establish connection to AD
$link->bind('username@domain.com', 'SomeSecret'); // Authenticate user
}
catch (ADX\Core\ServerUnreachableException $e) {
// Unable to connect to server, handle error
}
catch (ADX\Core\InvalidCredentialsException $e) {
// Invalid credentials supplied
}
catch (Exception $e) {
// Something else happened, check the exception and handle appropriately
}
// Successfully authenticated if no exception has been thrown
随时选择最适合您的产品.但是,如果您希望做的事多于身份验证,我强烈建议您为ldap工作使用一个库-如果事情无法按预期进行,它将为您节省大量时间,并可能使您沮丧.
Feel free to choose which suits you best. However, if you expect to do more than authenticate I strongly suggest you use a library for the ldap work - it will save you a lot of time and possibly frustration when things do not work as you would expect them to.
此外,如果有疑问,您可以/应该使用哪些信息进行连接和身份验证,请随时检查我的
Also, if in doubt what information you can/should use to connect and to authenticate feel free to check my previous answer on this topic.
这篇关于使用活动目录对Intranet站点上的用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!