如何使用Windows中的PHP中的GSS-API机法将LDAP SASL绑定到Active Directory? [英] How to perform a LDAP SASL bind to Active Directory using GSS-API mech in PHP from Windows?

问题描述

我有一个Active Directory服务器和一个Windows WAMP服务器，该服务器托管需要使用Kerberos验证到Active Directory的PHP Web应用程序.

I have an Active Directory server and a Windows WAMP server hosting PHP web applications that need to be able to authenticate to Active Directory using Kerberos.

我能够使用一些示例PHP代码轻松地连接并绑定到Active Directory主机，但是我不确定如何使用Kerberos.我看到许多论坛和博客详细介绍了如何在* NIX机器上执行此操作，但这对我的情况没有帮助.

I was able to easily connect and bind to the Active Directory host using some sample PHP code, but I'm not sure how to do so with Kerberos. I have see many forums and blogs detailing how to do this on *NIX machines, but that doesn't help me with my situation.

我确实使用Wireshark和 Fiddler 来确认没有进行Kerberos或NTLM协商.

I did use Wireshark and Fiddler to confirm that there is no Kerberos or NTLM negotiating happening.

我用来连接并绑定到LDAP的示例代码:

Sample code I used to connect and bind to LDAP:

<?php   
   $ldaphost = "example.domain.com";
   $ldapport = 389;
   $ldapuser = "user";
   $ldappass = "password";

    $ldapconn = ldap_connect( $ldaphost, $ldapport )
    or die( "Unable to connect to the LDAP server {$ldaphost}" );

    if ($ldapconn)
    {
        $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass);

        if ($ldapbind)
        {
            echo "LDAP connection successful";
        }
        else
        {
            echo "LDAP connction failed";
        }
    }
?>

任何帮助将不胜感激，谢谢！

Any help will be greatly appreciated, thanks!

更新:我整天都在努力，我认为我需要使用ldap_sasl_bind()，可能使用GSSAPI作为机制...无论我将什么参数放入ldap_sasl_bind ()，出现以下错误:无法绑定到服务器:未知的身份验证方法"

Update: I've been wrestling with this all day and I think I need to use ldap_sasl_bind(), possibly using GSSAPI as the mechanism... No matter what parameters I put in to ldap_sasl_bind(), I get the following error: 'Unable to bind to server: Unknown authentication method'

我不确定如何实现GSSAPI，但是我看到的一些示例显示了使用ldap_start_tls()的情况，但是我不断收到无法启动TLS:服务器不可用"错误.

I'm not sure how to implement GSSAPI, but some examples I've seen show using ldap_start_tls(), but I keep getting a 'Unable to start TLS: Server is unavailable' error.

我不知道是否有人对ldap_sasl_bind()(PHP未记录)或ldap_start_tls有任何了解，但是如果这是我应该采取的方法，请指出正确的方向.

I don't know if anyone knows anything about ldap_sasl_bind() (which is undocumented by PHP) or ldap_start_tls, but if this is the way I should be going, please point me in the right direction.

推荐答案

您需要执行的操作:确保PHP中的LDAP接口是针对SASL编译的，支持GSS-API机制，并且使用密钥表或Windows自己的SSPI接口.祝你好运.

What you need to do: Make sure that the LDAP interface in PHP is compiled against SASL, supports GSS-API mech and either uses keytabs or the Windows-own SSPI interface. Good luck.

这篇关于如何使用Windows中的PHP中的GSS-API机法将LDAP SASL绑定到Active Directory?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！