单点登录 (SSO) 如何使用 PHP + Apache 针对 Active Directory 进行透明身份验证? [英] How does single sign-on (SSO) work with PHP + Apache against an Active Directory for transparent authentication?
问题描述
我需要更多地了解针对 Active Directory 的 Web 应用程序上的 SSO.
I need to get more understanding about SSO on a web app against Active Directory.
对于简单地要求用户登录以在 AD 上进行身份验证,我知道我可以使用一些库,例如 Zend_Ldap、adLdap 等.但是在这种情况下,用户仍然需要输入两次登录信息.例如:从 php 对 Active Directory/ISA 进行身份验证
For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap, adLdap and so on. But in this case, the user still need to type the login twice.
For example: Authenticate against Active Directory/ISA from php
Afaik,要使用 SSO 进行透明登录,我需要实现一个额外的 apache 模块.例如:如何实现单点登录-on (SSO) 将 Microsoft AD 用于内部 PHP 应用程序?
Afaik, to use SSO for transparent login, I need to implement an extra apache module.
For example:
How can I implement single sign-on (SSO) using Microsoft AD for an internal PHP app?
使用 PHP 验证 ldap,活动目录,同时使用 IE/Firefox
首先我需要知道我需要使用哪个 apache 模块以及为什么.在这篇文章中例如有三个:mod_ntlm、mod_auth_kerb 和 Apache2:AuthenNTLM.而那些是 Apache2:AuthenNTLM
First I need to know which apache module I need to use and why.
In this article for example there are three: mod_ntlm, mod_auth_kerb and Apache2:AuthenNTLM.
And the thosed one was Apache2:AuthenNTLM
在 问题 接受的答案是 mod_auth_sspi.
In the question described above the accepted answer was for mod_auth_sspi.
在谈论 Active Directory 时 我得到了这个答案,它将活动目录描述为 ldap + kerberos + "其他一些杂项和件".
When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap + kerberos + "a few other miscellaneous bits and pieces".
我对所有这些名字都感到很困惑,因为我用过它.有人可以向我澄清一下吗?(ldap、kerberos、ntlm、sspi 等)
I'm very confused about all these names, since I've nerver worked with it.
Can someone clarify it to me? (ldap, kerberos, ntlm, sspi etc)
最后,谁能告诉我应用程序如何识别经过身份验证的用户(来自 AD).是否只是通过像 $_SERVER['REMOTE_USER'] 这样的想法传递的用户名?有密码发送吗?浏览器如何发送这些额外的标头?每个工作站有没有需要做的本地配置?
Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?
推荐答案
身份验证是一团混乱.这是一些背景.
Authentication is a confusing mess. Here is some background.
LDAP:LDAP 是一种用于传达用户目录信息的协议.它还可以处理身份验证,但不是无缝的 (SSO).
LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).
NTLM:NTLM 是 Microsoft 内置于 IE、ActiveDirectory 和 IIS 中的 SSO.NTLM 的原始版本非常不安全,因此实施了 NTLMv2 以修复 NTLM 中的安全问题.默认情况下,原始 NTLM 在 Windows Vista 及更高版本中处于禁用状态.
NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.
Kerberos:Kerberos 是一种非常安全的开放标准,旨在提供无缝 (SSO) 身份验证.ActiveDirectory 支持某个版本的 Kerberos.
Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.
至于可用于实现这些协议的 Apache 模块,您提供了一个很好的列表.
As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.
mod_ntlm:这是一个在 Linux 上运行并支持原始 NTLM(不是 NTLMv2)的 Apache 模块.
mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).
mod_auth_kerb:这是一个实现 Kerberos 的 Apache 模块.
mod_auth_kerb: This is an Apache module that implements Kerberos.
mod_auth_sspi:这是一个适用于 Windows 的 Apache 模块,支持原始 NTLM(不是 NTLMv2).
mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).
Apache2:AuthenNTLM:这是一个处理 NTLM 的 Perl 模块.不知道是否支持NTLM和NTLMv2.
Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.
mod_auth_ntlm_winbind:这是一个与 Samba 身份验证接口的 Apache 模块.
mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.
这篇关于单点登录 (SSO) 如何使用 PHP + Apache 针对 Active Directory 进行透明身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
