如何单点登录（SSO）与PHP + Apache的工作，对用于透明身份验证的Active Directory？ [英] How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?

问题描述

我需要得到更多的了解有关SSO关于对Active Directory中的Web应用程序。

I need to get more understanding about SSO on a web app against Active Directory.

有关简单地要求用户登录验证对AD，我知道我可以使用一些库，例如 Zend_Ldap ， adLdap 等。但在这种情况下，用户仍然需要两次输入登录。 例如：<一href="http://stackoverflow.com/questions/1711270/authenticate-against-active-directory-isa-from-php">Authenticate对Active Directory / ISA从PHP

For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdap and so on. But in this case, the user still need to type the login twice. For example: Authenticate against Active Directory/ISA from php

AFAIK，使用 SSO 为透明登录，我需要实现额外的Apache模块。 例如： <一href="http://stackoverflow.com/questions/1003751/how-do-i-use-microsoft-ad-and-php-single-sign-on-web-app">How我使用微软的AD和php单点登录的Web应用程序？

Afaik, to use SSO for transparent login, I need to implement an extra apache module. For example: How do I use Microsoft AD and php single sign on web app?

<一个href="http://stackoverflow.com/questions/1527735/authenticate-against-ldap-using-php-active-directory-while-using-ie-firefox">Authenticate对使用PHP，活动目录LDAP，而使用IE / Firefox的

首先，我需要知道我需要使用以及为什么这Apache模块。 在这篇文章例如有三种： mod_ntlm ， mod_auth_kerb所和的Apache2：AuthenNTLM 。 而thosed一个是的Apache2：AuthenNTLM

First I need to know which apache module I need to use and why. In this article for example there are three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM. And the thosed one was Apache2:AuthenNTLM

在<一个href="http://stackoverflow.com/questions/1003751/how-do-i-use-microsoft-ad-and-php-single-sign-on-web-app/1570154#1570154">question上述接受的答案是描述为 mod_auth_sspi 。

In the question described above the accepted answer was for mod_auth_sspi.

在说当有关Active Directory <一href="http://serverfault.com/questions/204870/is-ldap-the-only-way-to-authenticate-an-web-application-against-active-directory/204873#204873">I've得到这个答案，它描述了活动目录为 LDAP + 的Kerberos实施 +其他几个杂的点点滴滴。

When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces".

我很困惑，所有这些名字，因为我已经nerver与它的工作。 有人可以明确给我呢？ （ LDAP ，的Kerberos ， NTLM ， SSPI 等）

I'm very confused about all these names, since I've nerver worked with it. Can someone clarify it to me? (ldap, kerberos, ntlm, sspi etc)

最后，有人可以点我如何应用程序识别身份验证的用户（从公元）。难道只是通过了somethink像 $用户名_ SERVER ['REMOTE_USER'] ？任何密码发送？如何在浏览器发送这些额外的头？是否有需要在每个工作站做？任何本地配置。

Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?

推荐答案

认证是一个混乱的烂摊子。下面是一些背景。

Authentication is a confusing mess. Here is some background.

• LDAP：LDAP是一种协议，通信用户的目录信息。它也可以处理认证，但它不是无缝（SSO）的

• LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).

NTLM：NTLM是内置IE浏览器，的ActiveDirectory和IIS微软的SSO。 NTLM的原始版本是非常不安全的，以便NTLMv2的实施，以修复NTLM安全问题。原来NTLM在Windows Vista中默认情况​​下禁用及更高版本。

NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.

的Kerberos：Kerberos是一个开放的标准，这是非常安全的，旨在提供无缝（SSO）认证。 ActiveDirectory的支持Kerberos版本。

Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.

至于可用于实现这些协议的Apache模块，则包含其中的一个pretty的良好列表

As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.

• mod_ntlm：这是一个运行在Linux，并支持原NTLM（不NTLMv2身份）Apache模块

• mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).

mod_auth_kerb所：这是一个实现Kerberos的Apache模块

mod_auth_kerb: This is an Apache module that implements Kerberos.

mod_auth_sspi：这是Windows支持原来的NTLM（不NTLMv2身份）Apache模块

mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).

的Apache2：AuthenNTLM：这是处理NTLM的Perl模块。我不知道它是否支持NTLM和NTLMv2。

Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.

mod_auth_ntlm_winbind：这是一个与Samba的认证接口的Apache模块。

mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.

这篇关于如何单点登录（SSO）与PHP + Apache的工作，对用于透明身份验证的Active Directory？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！