验证对使用PHP，活动目录LDAP，而使用IE / Firefox的 [英] Authenticate against ldap using PHP, active directory, while using IE/Firefox

问题描述

下面检查这code反对LDAP用户的凭证

This code below checks for the user's credentials against ldap

<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;

$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");

if ($ds) 
{
    $username = "johndoe@domain.com";
    $upasswd = "pass";

    $ldapbind = ldap_bind($ds, $username, $upasswd);

    if ($ldapbind) 
        {print "Congratulations! $username is authenticated.";}
    else 
        {print "Access Denied!";}
}
?>

我的用户使用Firefox和IE浏览器，我知道可以通过他们的ActiveDirectory凭据的无缝连接。

My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.

我只是想检查AD组，看看是否该用户名是在那里发现，如果是的话，显示此页面，否则提示凭证进入。

I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.

由于我们的用户已经登录到域控制器，我想抓住自己的用户名，检查，看它是否被发现在特定的组，然后让他们在，否则，提示用户输入凭据。这怎么可能？

Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?

推荐答案

您其实并不需要从你的PP code中的Active Directory服务器进行通信，以达到你想要给你使用IIS的事实是什么你Web服务器。

You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.

这里的关键词是的集成Windows身份验证的 - 这是措辞DJN <一href="http://stackoverflow.com/questions/1527735/authenticate-against-ldap-using-php-active-directory-while-using-ie-firefox/1528426#1528426">looked为。如果此选项打开（和匿名访问被拒绝），IIS将检查对Active Directory和所要求的资源的NTFS文件系统权限所提供的凭证。因此，您可以控制​​访问使用简单的NTFS访问控制机制的文件。

The key word here is Integrated Windows Authentication - that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.

如果您的用户使用IE浏览器，他们甚至没有在键入他们的凭据，因为这是通过所谓的 SPNEGO （简单和受保护GSSAPI协商机制）和它的底层机制的Kerberos 或的NTLMSSP 的取决于你的客户端和服务器能够处理的。

If your users use IE they even don't have to type in their credentials as this is done automatically via so called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and its underlying mechanisms Kerberos or NTLMSSP depending on what your client and server is capable of processing.

据我所知，Firefox是能够在Windows登录凭据交给你的服务器自动过。您ONY必须调整配置选项以开启该功能 - 唐知道，如果该信息仍然有效与Firefox 3.5.x的。

As far as I know Firefox is able to hand over the Windows logon credentials to your server automatically too. You ony have to adjust a configuration option to turn on that feature - don't know if this information is still valid with Firefox 3.5.x.

如果您在* nix系统运行Apache，你将不得不诉诸一些服务器端模块来处理的集成Windows身份验证的式的系统。可能的选项是（不知道是不是他们实际上仍保持或稳定的）：

If you're running Apache on a *nix-system you'll have to resort to some server-side-module to handle a Integrated Windows Authentication-like system. Possible options are (don't know whether they are actually still maintained or stable):

• <一个href="http://samba.org/ftp/unpacked/lorikeet/mod%5Fauth%5Fntlm%5Fwinbind/"><$c$c>mod_auth_ntlm_winbind
• mod_auth_kerb所
• mod_ntlm

有关Windows上的Apache有：

For Apache on Windows there are:

• mod_ntlm （过时;不一样的 mod_ntlm 以上）
• mod_auth_sspi （继任 mod_ntlm ）

• mod_ntlm (outdated; not the same as mod_ntlm above)
• mod_auth_sspi (successor of mod_ntlm)

请注意，大多数这些模块似乎很老了。

Please be aware that most of these modules seem to be very old.

这篇关于验证对使用PHP，活动目录LDAP，而使用IE / Firefox的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！