使用 Active Directory 对 Intranet 站点上的用户进行身份验证 [英] Using active directory to authenticate users on intranet site
问题描述
我建立了一个内联网"站点,它有自己的登录系统(用户注册为新用户,并使用其上的用户名/密码登录该站点).但是,现在我想扩展它,并让 Intranet 站点使用现有的 ActiveDirectory 进行身份验证.这就是我正在寻找的,继续前进 -
I have an 'intranet' site that I have built, which has a login system of its own (users register as new users, and use the username/password thereon to login to the site). However, now I want to extend it, and have the intranet site use the existing ActiveDirectory for authentication. This is what I am looking for, going forward -
当用户访问此 Intranet 站点 (http://intranetsite/mySite) 时,将根据 Active Directory 验证用户的域凭据,如果用户的凭据与 AD 匹配,则该用户将介绍了内部网站的主页.
When a user access this intranet site (http://intranetsite/mySite), the user's domain credentials are validated against the active directory, and if the user's credentials match AD, the user is then presented the main page of the intranet site.
我是 AD 新手,不知道如何进行此配置.我的内网站点是围绕 PHP 构建的,并在应用服务器上使用 Apache;AD 位于不同的 IIS 服务器上.
I am new to AD, and do not know how to go about this configuration. My intranet site is built around PHP and uses Apache on the application server; the AD is on a different IIS server.
我需要什么信息,我应该把这些信息放在哪里(到我的网站?htaccess?其他地方?)以便我可以使用 AD 身份验证?仅配置"就足够了,还是我需要为此身份验证编写显式 PHP 代码?
What information do I need, and where do I put this information (into my site? htaccess? anywhere else?) so that I can use AD authentication? Is just 'configuration' enough, or do I need to write explicit PHP code for this authentication?
非常感谢任何指针.
推荐答案
如果您只寻找身份验证而不是其他任何东西,那么您可能只需要几行代码.
If you are looking only for authentication and nothing else, you may get away with only a few lines of code.
首先,确保您的 php 中ldap 已启用.
First, ensure you have ldap enabled in your php.
这里是纯 php 实现:
(请注意,这样做时,您应该确保您确实拥有来自用户的用户名和密码 - 对于 AD,匿名绑定几乎总是返回 true)
Here's pure php implementation:
(note that when doing it this way you should ensure that you DO HAVE a username and a password from a user - anonymous binding will almost always return true for AD)
$link = ldap_connect('domain.com'); // Your domain or domain server
if(! $link) {
// Could not connect to server - handle error appropriately
}
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
// Now try to authenticate with credentials provided by user
if (! ldap_bind($link, 'username@domain.com', 'SomeSecret')) {
// Invalid credentials! Handle error appropriately
}
// Bind was successful - continue
如果您希望使用 Active Directory 做更多有趣的事情,例如提取有关当前登录用户的一些信息,我强烈建议您使用框架来为您完成繁重的工作.如前所述,adLDAP 是一个不错的选择,如果您运行 PHP 5.4,我敢于推荐 AD-X 我积极开发的库(您可以通过 Composer 安装).
If you expect to do more fun stuff with Active Directory like pulling some information about currently logged in user I strongly recommend using a framework to do the heavy lifting for you. As already mentioned, adLDAP is a good one and if you run PHP 5.4 I dare recommending the AD-X library which I actively develop (you can install it via Composer).
借助 AD-X 库,您可以使用以下代码验证用户的凭据:
With the AD-X library, you can verify a user's credentials using this code:
try {
$link = new ADXCoreLink('domain.com'); // Establish connection to AD
$link->bind('username@domain.com', 'SomeSecret'); // Authenticate user
}
catch (ADXCoreServerUnreachableException $e) {
// Unable to connect to server, handle error
}
catch (ADXCoreInvalidCredentialsException $e) {
// Invalid credentials supplied
}
catch (Exception $e) {
// Something else happened, check the exception and handle appropriately
}
// Successfully authenticated if no exception has been thrown
随意选择最适合您的.但是,如果您希望做的不仅仅是身份验证,我强烈建议您使用一个库来处理 ldap 工作 - 当事情不像您期望的那样工作时,它会为您节省大量时间并可能会感到沮丧.
Feel free to choose which suits you best. However, if you expect to do more than authenticate I strongly suggest you use a library for the ldap work - it will save you a lot of time and possibly frustration when things do not work as you would expect them to.
此外,如果您不确定您可以/应该使用哪些信息来连接和进行身份验证,请随时查看我的 关于此主题的先前答案.
Also, if in doubt what information you can/should use to connect and to authenticate feel free to check my previous answer on this topic.
这篇关于使用 Active Directory 对 Intranet 站点上的用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
