I'm vaguely aware that on a computer joined to a domain IE can be asked to send some extra headers that I could use to automatically sign on to an application. I've got apache running on a windows server with mod_php. I'd like to be able to avoid the user having to log in if necessary. I've found some links talking about Kerberos and Apache modules.
我模糊地意识到,在连接到域IE的计算机上,可以请求发送一些额外的标题,以便我可以使用它们自动登录到应用程序。我让apache在一个带有mod_php的windows服务器上运行。如果需要的话,我希望能够避免用户不得不登录。我发现了一些关于Kerberos和Apache模块的链接。
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=last https://metacpan.org/pod/Apache2::AuthenNTLM
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?页面=去年https://metacpan.org/pod/Apache2::AuthenNTLM
Since I'm running on Windows it's proven to be non-trivial to get Perl or Apache modules installed. But doesn't PHP already have access to HTTP headers?
因为我在Windows上运行,所以要安装Perl或Apache模块已经被证明是非常重要的。但是PHP还没有访问HTTP头信息吗?
I found this but it doesn't do any authentication, it just shows that PHP can read the NTLM headers. http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
我找到了这个,但是它不做任何身份验证,它只是显示PHP可以读取NTLM头。http://siphon9.net/loune/2007/10/simple-lightweight-ntlm-in-php/
I'd like to be able to have my users just point to the application and have them automatically authenticated. Has anyone had any experience with this or gotten it to work at all?
我希望能够让我的用户指向应用程序并让他们自动进行身份验证。有人有过这样的经历吗?
UPDATE Since originally posting this question, we've changed setups to nginx and php-fcgi still running on windows. Apache2 and php-cgi on windows is probably one of the slowest setups you could configure on windows. It's looking like Apache might still be needed (it works with php-fcgi) but I would prefer a nginx solution.
自从最初发布这个问题以来,我们已经更改了nginx和php-fcgi仍然在windows上运行的设置。在windows上配置Apache2和php-cgi可能是最慢的设置之一。看起来Apache可能仍然需要(它与php-fcgi兼容),但我更喜欢nginx解决方案。
I also still don't understand (and would love to be educated) why HTTP server plugins are necessary and we can't have a PHP, web server agnostic solution.
我仍然不理解(也希望得到教育)为什么HTTP服务器插件是必需的,我们不能有一个PHP、web服务器无关的解决方案。
5 个解决方案
#1
16
All you need is the mod_auth_sspi Apache module.
您所需要的是mod_auth_sspi Apache模块。
Sample configuration:
示例配置:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
不要忘记,你也可以在Windows域中使用Firefox来进行透明的SSO:只需进入about:config,搜索net .automatic-ntlm-auth。trusted-uris,并输入内部应用程序的主机名或FQDN(比如myserver或myserver.corp.domain.com)。可以有多个条目,它是一个逗号分隔的列表。
#2
1
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
我想知道一个使用OpenID作为后端(各种)的解决方案……当我(快速地)搜索时,我没有看到任何可以直接连接到ActiveDirectory的内容。但是,通过普通的HTTP(您将是一个根据本地广告检查凭据的OpenID提供者)实现证书可能非常简单。在最好的情况下,您可以向应用程序添加两个类,然后关闭并运行——不需要web服务器模块。这两方面都有大量的开放源代码,所以如果没有其他的,值得一看。如果您将后端暴露给用户(也就是给它们提供OpenID url),那么您将获得额外的好处,即它们能够使用这些凭证登录到更多的内部站点。(例如:堆栈溢出)。
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
顺便说一句,我反对让Internet Explorer成为必需的。我不确定这是否是你写问题的目的,但根据你的IT环境,我希望使用Firefox或Safari(或Opera或…)的人不那么热情。你不是先跟IE对着干吧?每次我这么做的时候都很痛苦。这并不是说你不能使用IE的这个特性,只是说它不应该是唯一的选择。你贴出来的链接说NTLM比IE用得多,但是因为我没有使用它的经验,所以很难判断它的效果。
#3
1
I had a similar problem which I needed to solve for my organization.
我有一个类似的问题,我需要为我的组织解决。
I was looking into using adLDAP.
我正在研究使用adLDAP。
There is some documentation on the site for achieving seamless authentication with Active Directory too.
站点上也有一些文档可以实现使用Active Directory的无缝认证。
#4
0
One option for you is to use CAS (central authentication service).
您可以使用CAS(*身份验证服务)。
It has php client library.
它有php客户端库。
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
如何链接到MS活动目录:http://www.ja-sig.org/wiki/display/CASUM/Active+目录
You would require Apache maven 2 though.
不过,您需要Apache maven 2。
#5
0
For IIS/PHP FCGI, You need to send out an unauthorized header:
对于IIS/PHP FCGI,您需要发送一个未经授权的头文件:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
然后你可以得到用户名:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
然后确保$winuser位于允许用户的数据库中。
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.
请确保在非特权帐户下进行测试。当我第一次安装它时,我对它进行了测试,它工作得很好,但是后来当一个标准的非服务器管理员用户尝试它时,它失败了。事实证明,一些临时目录需要为来宾用户更改权限。我记不起确切的设置了。
#1
16
All you need is the mod_auth_sspi Apache module.
您所需要的是mod_auth_sspi Apache模块。
Sample configuration:
示例配置:
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain mydomain
# Set this if you want to allow access with clients that do not support NTLM, or via proxy from outside. Don't forget to require SSL in this case!
SSPIOfferBasic On
# Set this if you have only one domain and don't want the MYDOMAIN\ prefix on each user name
SSPIOmitDomain On
# AD user names are case-insensitive, so use this for normalization if your application's user names are case-sensitive
SSPIUsernameCase Lower
AuthName "Some text to prompt for domain credentials"
Require valid-user
And don't forget that you can also use Firefox for transparent SSO in a Windows domain: Simply go to about:config, search for network.automatic-ntlm-auth.trusted-uris, and enter the host name or FQDN of your internal application (like myserver or myserver.corp.domain.com). You can have more than one entry, it's a comma-separated list.
不要忘记,你也可以在Windows域中使用Firefox来进行透明的SSO:只需进入about:config,搜索net .automatic-ntlm-auth。trusted-uris,并输入内部应用程序的主机名或FQDN(比如myserver或myserver.corp.domain.com)。可以有多个条目,它是一个逗号分隔的列表。
#2
1
I'd be curious about a solution that uses OpenID as a backend (of sorts) for this... I wasn't seeing anything that would hook into ActiveDirectory directly when I googled (quickly). However, it could be pretty painless to implement over plain HTTP(S) (you'd be an OpenID provider that checked credentials against your local AD). In a best case scenario, you might be able to just add a couple classes to your app and be off and running -- no web server modules required. There is a lot of open source code out there for either side of this, so if nothing else, it's worth taking a look. If you exposed the backend to the users (i.e. gave them OpenID URLs), you'd have the added benefit of them being able to log in to more than just your internal sites using these credentials. (Example: Stack Overflow.)
我想知道一个使用OpenID作为后端(各种)的解决方案……当我(快速地)搜索时,我没有看到任何可以直接连接到ActiveDirectory的内容。但是,通过普通的HTTP(您将是一个根据本地广告检查凭据的OpenID提供者)实现证书可能非常简单。在最好的情况下,您可以向应用程序添加两个类,然后关闭并运行——不需要web服务器模块。这两方面都有大量的开放源代码,所以如果没有其他的,值得一看。如果您将后端暴露给用户(也就是给它们提供OpenID url),那么您将获得额外的好处,即它们能够使用这些凭证登录到更多的内部站点。(例如:堆栈溢出)。
As an aside, I'd be against making it so that Internet Explorer is required. I'm not sure if that is the goal from the way you wrote the question, but depending on your IT environment, I'd expect people who use Firefox or Safari (or Opera or ...) to be less than enthusiastic. (You're not developing against IE first, are you? That's been painful whenever I've done so.) This is not to say that you couldn't use this feature of IE, just that it shouldn't be the only option. The link you posted stated that NTLM worked with more than IE, but since I don't have any experience with it, it's hard to judge how well that would work.
顺便说一句,我反对让Internet Explorer成为必需的。我不确定这是否是你写问题的目的,但根据你的IT环境,我希望使用Firefox或Safari(或Opera或…)的人不那么热情。你不是先跟IE对着干吧?每次我这么做的时候都很痛苦。这并不是说你不能使用IE的这个特性,只是说它不应该是唯一的选择。你贴出来的链接说NTLM比IE用得多,但是因为我没有使用它的经验,所以很难判断它的效果。
#3
1
I had a similar problem which I needed to solve for my organization.
我有一个类似的问题,我需要为我的组织解决。
I was looking into using adLDAP.
我正在研究使用adLDAP。
There is some documentation on the site for achieving seamless authentication with Active Directory too.
站点上也有一些文档可以实现使用Active Directory的无缝认证。
#4
0
One option for you is to use CAS (central authentication service).
您可以使用CAS(*身份验证服务)。
It has php client library.
它有php客户端库。
How-to link to MS Active Directory: http://www.ja-sig.org/wiki/display/CASUM/Active+Directory
如何链接到MS活动目录:http://www.ja-sig.org/wiki/display/CASUM/Active+目录
You would require Apache maven 2 though.
不过,您需要Apache maven 2。
#5
0
For IIS/PHP FCGI, You need to send out an unauthorized header:
对于IIS/PHP FCGI,您需要发送一个未经授权的头文件:
function EnableAuthentication()
{
$realm = "yoursite";
header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
header("HTTP/1.1 401 Unauthorized");
exit;
}
You can then get at the username with:
然后你可以得到用户名:
$winuser = $_SERVER["REMOTE_USER"];
I then make sure the $winuser is in my database of allowed users.
然后确保$winuser位于允许用户的数据库中。
Be SURE and test this under a non-privileged account. When I first installed this I tested it and it worked fine, but later when a standard non-server-admin user tried it this failed. Turns out some of the temporary directories need to have permissions changed for guest users. I can't recall the exact settings.
请确保在非特权帐户下进行测试。当我第一次安装它时,我对它进行了测试,它工作得很好,但是后来当一个标准的非服务器管理员用户尝试它时,它失败了。事实证明,一些临时目录需要为来宾用户更改权限。我记不起确切的设置了。