从 PHP 使用 LDAP 对用户进行身份验证 [英] Authenticating user using LDAP from PHP
问题描述
我的项目是为我们大学制作一个模块招生系统.因此,我联系了我大学的 IT 人员以获取详细信息,以将学生身份验证到系统中.我们正在使用现有的大学登录开发系统.他们给了我一些 LDAP 信息,我不知道它的用途.我在 Apacha 服务器上使用 PHP、Mysql.给定用户 ID 和密码以及 LDAP 信息,我如何验证登录系统的用户.
My project is to make a module enrollment system for our university. So I contacted the IT people in my university for details to authenticate the students into the system. We are developing the system using the existing university login. They gave me some LDAP information, I don't know the usage of that. I'm using PHP,Mysql on an Apacha server. How can I authenticate a user logging into my system, given his userid and password with the LDAP information.
以下是 LDAP 信息(我已经更改了域名等)
Given below is the LDAP information(i have changed the domain name etc.)
blueroom.ac.uk 域的 LDAP 信息
LDAP information for blueroom.ac.uk domain
LDAP Host : ad.blueroom.ac.uk
LDAP port no: 389
BASE DN : ou=bluebird, dc=bluebird, dc=ac, dc=my
LDAP account to bind : cn = kikdap, ou=servacc, dc=bluebird,dc=ac,dc=uk
LDAP account password : ********
Attribute : sAMAccountName
推荐答案
一般流程是(括号内是相关的ext/ldap php命令):
The general procedure would be (relevant ext/ldap php commands in brackets):
使用LDAP 主机"和LDAP 端口号"连接到 LDAP 服务器(ldap_connect()) 并设置正确的连接选项 (ldap_set_option()),尤其是
LDAP_OPT_PROTOCOL_VERSION和LDAP_OPT_REFERRALS
connect to LDAP server using the "LDAP Host" and "LDAP port no" (ldap_connect()) and set the correct connection options (ldap_set_option()), especially
LDAP_OPT_PROTOCOL_VERSIONandLDAP_OPT_REFERRALS
使用要绑定的LDAP帐户"和LDAP帐户密码"(ldap_bind()) - 如果您针对 Active Directory 服务器进行身份验证,您可以直接使用登录页面中的用户名和密码并跳过以下所有步骤.
bind to LDAP server using the "LDAP account to bind" and "LDAP account password" (ldap_bind()) - if you're authenticating against an Active Directory server you can directly use the username and password from the login page and skip all the following steps.
通过指定BASE DN"和适当的 LDAP 过滤器在树中搜索匹配的用户条目/对象 - 很可能类似于 (&(objectClass=user)(sAMAccountName=%s)) 其中 %s 应替换为要验证的用户名 (ldap_search())
search the tree for a matching user entry/object by specifing the "BASE DN" and the appropriate LDAP filter - most likely something like (&(objectClass=user)(sAMAccountName=%s)) where %s should be replaced by the username to be authenticated (ldap_search())
检查返回的条目数是否为 1(如果 <> 1 则表示出现问题,例如未找到用户或找到多个用户)
check if the number of returned entries is 1 (if <> 1 then something has gone wrong, e.g. no user found or multiple users found)
检索此单个条目的可分辨名称 (DN) (ldap_get_dn())
retrive the distinguished name (DN) of this single entry (ldap_get_dn())
使用在上一步中找到的 DN 尝试使用身份验证页面上提供的密码绑定到 LDAP 服务器 (ldap_bind())
use the DN found in the last step to try to bind to the LDAP server with the password given at the authentication page (ldap_bind())
如果绑定成功则一切正常,如果不成功,很可能是密码错误
if the bind succeeds then everything is OK, if not, most likely the password is wrong
这真的不像一开始听起来那么难.一般来说,我建议使用某种标准库来针对 LDAP 服务器进行身份验证,例如 Net_LDAP2 PEAR 包或 Zend_Ldap 脱离 Zend 框架.我没有实际使用 Net_LDAP2 的经验(尽管我非常了解代码),但 Zend_Ldap 对 Active Directory 服务器或 ADAMS 服务器非常有效(这显然是你的正在使用).
It's really not as hard as it sounds at first. Generally I'd propose to use some sort of standard library for authenticating against a LDAP server such as the Net_LDAP2 PEAR package or Zend_Ldap out of the Zend Framework. I have no experience with actually using Net_LDAP2 (although I know the code quite well) but Zend_Ldap works very well against Active Directory servers or ADAMS servers (which is obviously what you're working with).
这将使用 Zend_Ldap 解决问题:
This will do the trick using Zend_Ldap:
$options = array(
'host' => 'ad.blueroom.ac.uk',
'useStartTls' => true,
'accountDomainName' => 'blueroom.ac.uk',
'accountCanonicalForm' => 4,
'baseDn' => 'ou=bluebird,dc=bluebird,dc=ac,dc=my',
);
$ldap = new Zend_Ldap($options);
try {
$ldap->bind('user', 'password');
} catch (Zend_Ldap_Exception $e) {
// something failed - inspect $e
}
// bind successful
$acctname = $ldap->getCanonicalAccountName('user', Zend_Ldap::ACCTNAME_FORM_DN);
这篇关于从 PHP 使用 LDAP 对用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
