如何使用Windows中的PHP中的GSS-API机法将LDAP SASL绑定到Active Directory? [英] How to perform a LDAP SASL bind to Active Directory using GSS-API mech in PHP from Windows?
问题描述
我有一个Active Directory服务器和一个Windows WAMP服务器,该服务器托管需要使用Kerberos验证到Active Directory的PHP Web应用程序.
I have an Active Directory server and a Windows WAMP server hosting PHP web applications that need to be able to authenticate to Active Directory using Kerberos.
我能够使用一些示例PHP代码轻松地连接并绑定到Active Directory主机,但是我不确定如何使用Kerberos.我看到许多论坛和博客详细介绍了如何在* NIX机器上执行此操作,但这对我的情况没有帮助.
I was able to easily connect and bind to the Active Directory host using some sample PHP code, but I'm not sure how to do so with Kerberos. I have see many forums and blogs detailing how to do this on *NIX machines, but that doesn't help me with my situation.
我确实使用Wireshark和 Fiddler 来确认没有进行Kerberos或NTLM协商.
I did use Wireshark and Fiddler to confirm that there is no Kerberos or NTLM negotiating happening.
我用来连接并绑定到LDAP的示例代码:
Sample code I used to connect and bind to LDAP:
<?php
$ldaphost = "example.domain.com";
$ldapport = 389;
$ldapuser = "user";
$ldappass = "password";
$ldapconn = ldap_connect( $ldaphost, $ldapport )
or die( "Unable to connect to the LDAP server {$ldaphost}" );
if ($ldapconn)
{
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);
if ($ldapbind)
{
echo "LDAP connection successful";
}
else
{
echo "LDAP connction failed";
}
}
?>
任何帮助将不胜感激,谢谢!
Any help will be greatly appreciated, thanks!
更新:我整天都在努力,我认为我需要使用ldap_sasl_bind(),可能使用GSSAPI作为机制...无论我将什么参数放入ldap_sasl_bind (),出现以下错误:无法绑定到服务器:未知的身份验证方法"
Update: I've been wrestling with this all day and I think I need to use ldap_sasl_bind(), possibly using GSSAPI as the mechanism... No matter what parameters I put in to ldap_sasl_bind(), I get the following error: 'Unable to bind to server: Unknown authentication method'
我不确定如何实现GSSAPI,但是我看到的一些示例显示了使用ldap_start_tls()的情况,但是我不断收到无法启动TLS:服务器不可用"错误.
I'm not sure how to implement GSSAPI, but some examples I've seen show using ldap_start_tls(), but I keep getting a 'Unable to start TLS: Server is unavailable' error.
我不知道是否有人对ldap_sasl_bind()(PHP未记录)或ldap_start_tls有任何了解,但是如果这是我应该采取的方法,请指出正确的方向.
I don't know if anyone knows anything about ldap_sasl_bind() (which is undocumented by PHP) or ldap_start_tls, but if this is the way I should be going, please point me in the right direction.
推荐答案
您需要执行的操作:确保PHP中的LDAP接口是针对SASL编译的,支持GSS-API机制,并且使用密钥表或Windows自己的SSPI接口.祝你好运.
What you need to do: Make sure that the LDAP interface in PHP is compiled against SASL, supports GSS-API mech and either uses keytabs or the Windows-own SSPI interface. Good luck.
这篇关于如何使用Windows中的PHP中的GSS-API机法将LDAP SASL绑定到Active Directory?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!