使用PHP中的LDAP对用户进行身份验证

时间:2022-10-28 21:53:54

My project is to make a module enrollment system for our university. So I contacted the IT people in my university for details to authenticate the students into the system. We are developing the system using the existing university login. They gave me some LDAP information, I don't know the usage of that. I'm using PHP,Mysql on an Apacha server. How can I authenticate a user logging into my system, given his userid and password with the LDAP information.

我的项目是为我们的大学制作一个模块招生系统。所以我联系了我们学校的IT人员,希望他们能对学生进行详细的认证。我们正在使用现有的大学登录来开发系统。他们给了我一些LDAP信息,我不知道它的用法。我在Apacha服务器上使用PHP Mysql。如何对登录到我的系统的用户进行身份验证?

Given below is the LDAP information(i have changed the domain name etc.)

下面给出LDAP信息(我已经更改了域名等)。

LDAP information for blueroom.ac.uk domain

为blueroom.ac LDAP信息。英国域


LDAP Host : ad.blueroom.ac.uk

LDAP port no: 389

BASE DN : ou=bluebird, dc=bluebird, dc=ac, dc=my

LDAP account to bind : cn = kikdap, ou=servacc, dc=bluebird,dc=ac,dc=uk

LDAP account password : ********

Attribute : sAMAccountName 

4 个解决方案

#1


52  

The general procedure would be (relevant ext/ldap php commands in brackets):

一般流程为(括号中相关的ext/ldap php命令):

  1. connect to LDAP server using the "LDAP Host" and "LDAP port no" (ldap_connect()) and set the correct connection options (ldap_set_option()), especially LDAP_OPT_PROTOCOL_VERSION and LDAP_OPT_REFERRALS

    使用“LDAP主机”和“LDAP端口no”(ldap_connect())连接到LDAP服务器,并设置正确的连接选项(ldap_set_option()),特别是LDAP_OPT_PROTOCOL_VERSION和LDAP_OPT_REFERRALS

  2. bind to LDAP server using the "LDAP account to bind" and "LDAP account password" (ldap_bind()) - if you're authenticating against an Active Directory server you can directly use the username and password from the login page and skip all the following steps.

    使用“要绑定的LDAP帐户”和“LDAP帐户密码”(ldap_bind())绑定到LDAP服务器——如果对活动目录服务器进行身份验证,您可以直接从登录页面使用用户名和密码,并跳过以下所有步骤。

  3. search the tree for a matching user entry/object by specifing the "BASE DN" and the appropriate LDAP filter - most likely something like (&(objectClass=user)(sAMAccountName=%s)) where %s should be replaced by the username to be authenticated (ldap_search())

    通过指定“基本DN”和适当的LDAP筛选器来搜索匹配的用户条目/对象树——很可能是(&(objectClass=user)(sAMAccountName=%s)),其中%s应该由要验证的用户名(ldap_search()替换

  4. check if the number of returned entries is 1 (if <> 1 then something has gone wrong, e.g. no user found or multiple users found)

    检查返回条目的数量是否为1(如果<> 1,则说明出现了问题,例如没有发现用户或多个用户)

  5. retrive the distinguished name (DN) of this single entry (ldap_get_dn())

    检索此单个条目的专有名称(DN) (ldap_get_dn()))

  6. use the DN found in the last step to try to bind to the LDAP server with the password given at the authentication page (ldap_bind())

    使用最后一步中找到的DN尝试使用身份验证页面(ldap_bind())给出的密码绑定到LDAP服务器

  7. if the bind succeeds then everything is OK, if not, most likely the password is wrong

    如果绑定成功,那么一切正常,如果没有,密码很可能是错误的

It's really not as hard as it sounds at first. Generally I'd propose to use some sort of standard library for authenticating against a LDAP server such as the Net_LDAP2 PEAR package or Zend_Ldap out of the Zend Framework. I have no experience with actually using Net_LDAP2 (although I know the code quite well) but Zend_Ldap works very well against Active Directory servers or ADAMS servers (which is obviously what you're working with).

这真的不像一开始听起来那么难。一般来说,我建议使用某种标准库对LDAP服务器进行身份验证,比如Net_LDAP2 PEAR包或Zend_Ldap。我没有实际使用Net_LDAP2的经验(尽管我对代码非常熟悉),但是Zend_Ldap在使用Active Directory服务器或ADAMS服务器时(显然您正在使用这些服务器)时非常有效。

This will do the trick using Zend_Ldap:

这将使用Zend_Ldap实现这个技巧:

$options = array(
    'host'                 => 'ad.blueroom.ac.uk',
    'useStartTls'          => true,
    'accountDomainName'    => 'blueroom.ac.uk',
    'accountCanonicalForm' => 4,
    'baseDn'               => 'ou=bluebird,dc=bluebird,dc=ac,dc=my',
);
$ldap = new Zend_Ldap($options);
try {
    $ldap->bind('user', 'password');
} catch (Zend_Ldap_Exception $e) {
    // something failed - inspect $e
}
// bind successful
$acctname = $ldap->getCanonicalAccountName('user', Zend_Ldap::ACCTNAME_FORM_DN);

#2


4  

You might try http://code.activestate.com/recipes/101525/ while referring to http://us3.php.net/ldap and other results from a Google search for [php ldap authentication].

您可以尝试http://code.activestate.com/recipes/101525/同时引用http://us3.php.net/ldap和谷歌搜索[php ldap身份验证]的其他结果。

#3


2  

you could use http://pear.php.net/package/Net_LDAP2/docs it's nice and works.

您可以使用http://pear.php.net/package/Net_LDAP2/docs,它很好而且很好用。

Example of connection taken by the doc:

医管局采取的连结例子:

// Inclusion of the Net_LDAP2 package:
require_once 'Net/LDAP.php';

// The configuration array:
$config = array (
    'binddn'    => 'cn=admin,ou=users,dc=example,dc=org',
    'bindpw'    => 'password',
    'basedn'    => 'dc=example,dc=org',
    'host'      => 'ldap.example.org'
);

// Connecting using the configuration:
$ldap = Net_LDAP2::connect($config);

// Testing for connection error
if (PEAR::isError($ldap)) {
    die('Could not connect to LDAP-server: '.$ldap->getMessage());
}

#4


1  

@Stephen provided good points. Here is my plain PHP code to authenticate using AD:

@Stephen提供好点。下面是我使用AD验证的普通PHP代码:

  1. first you need to know this parameters: server host, user domain (you need also base dn if you want query AD).
  2. 首先,您需要知道这些参数:服务器主机、用户域(如果您想要查询AD,还需要基dn)。
  3. use the following code:

    使用下面的代码:

    $ldap = ldap_connect($host); // e.g. 165.5.54.6 or an URL
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    $bind = ldap_bind($ldap, $username.'@'.$userDomain, $passwrod);
    
    if($bind){
    // successful authentication. 
    }
    

#1


52  

The general procedure would be (relevant ext/ldap php commands in brackets):

一般流程为(括号中相关的ext/ldap php命令):

  1. connect to LDAP server using the "LDAP Host" and "LDAP port no" (ldap_connect()) and set the correct connection options (ldap_set_option()), especially LDAP_OPT_PROTOCOL_VERSION and LDAP_OPT_REFERRALS

    使用“LDAP主机”和“LDAP端口no”(ldap_connect())连接到LDAP服务器,并设置正确的连接选项(ldap_set_option()),特别是LDAP_OPT_PROTOCOL_VERSION和LDAP_OPT_REFERRALS

  2. bind to LDAP server using the "LDAP account to bind" and "LDAP account password" (ldap_bind()) - if you're authenticating against an Active Directory server you can directly use the username and password from the login page and skip all the following steps.

    使用“要绑定的LDAP帐户”和“LDAP帐户密码”(ldap_bind())绑定到LDAP服务器——如果对活动目录服务器进行身份验证,您可以直接从登录页面使用用户名和密码,并跳过以下所有步骤。

  3. search the tree for a matching user entry/object by specifing the "BASE DN" and the appropriate LDAP filter - most likely something like (&(objectClass=user)(sAMAccountName=%s)) where %s should be replaced by the username to be authenticated (ldap_search())

    通过指定“基本DN”和适当的LDAP筛选器来搜索匹配的用户条目/对象树——很可能是(&(objectClass=user)(sAMAccountName=%s)),其中%s应该由要验证的用户名(ldap_search()替换

  4. check if the number of returned entries is 1 (if <> 1 then something has gone wrong, e.g. no user found or multiple users found)

    检查返回条目的数量是否为1(如果<> 1,则说明出现了问题,例如没有发现用户或多个用户)

  5. retrive the distinguished name (DN) of this single entry (ldap_get_dn())

    检索此单个条目的专有名称(DN) (ldap_get_dn()))

  6. use the DN found in the last step to try to bind to the LDAP server with the password given at the authentication page (ldap_bind())

    使用最后一步中找到的DN尝试使用身份验证页面(ldap_bind())给出的密码绑定到LDAP服务器

  7. if the bind succeeds then everything is OK, if not, most likely the password is wrong

    如果绑定成功,那么一切正常,如果没有,密码很可能是错误的

It's really not as hard as it sounds at first. Generally I'd propose to use some sort of standard library for authenticating against a LDAP server such as the Net_LDAP2 PEAR package or Zend_Ldap out of the Zend Framework. I have no experience with actually using Net_LDAP2 (although I know the code quite well) but Zend_Ldap works very well against Active Directory servers or ADAMS servers (which is obviously what you're working with).

这真的不像一开始听起来那么难。一般来说,我建议使用某种标准库对LDAP服务器进行身份验证,比如Net_LDAP2 PEAR包或Zend_Ldap。我没有实际使用Net_LDAP2的经验(尽管我对代码非常熟悉),但是Zend_Ldap在使用Active Directory服务器或ADAMS服务器时(显然您正在使用这些服务器)时非常有效。

This will do the trick using Zend_Ldap:

这将使用Zend_Ldap实现这个技巧:

$options = array(
    'host'                 => 'ad.blueroom.ac.uk',
    'useStartTls'          => true,
    'accountDomainName'    => 'blueroom.ac.uk',
    'accountCanonicalForm' => 4,
    'baseDn'               => 'ou=bluebird,dc=bluebird,dc=ac,dc=my',
);
$ldap = new Zend_Ldap($options);
try {
    $ldap->bind('user', 'password');
} catch (Zend_Ldap_Exception $e) {
    // something failed - inspect $e
}
// bind successful
$acctname = $ldap->getCanonicalAccountName('user', Zend_Ldap::ACCTNAME_FORM_DN);

#2


4  

You might try http://code.activestate.com/recipes/101525/ while referring to http://us3.php.net/ldap and other results from a Google search for [php ldap authentication].

您可以尝试http://code.activestate.com/recipes/101525/同时引用http://us3.php.net/ldap和谷歌搜索[php ldap身份验证]的其他结果。

#3


2  

you could use http://pear.php.net/package/Net_LDAP2/docs it's nice and works.

您可以使用http://pear.php.net/package/Net_LDAP2/docs,它很好而且很好用。

Example of connection taken by the doc:

医管局采取的连结例子:

// Inclusion of the Net_LDAP2 package:
require_once 'Net/LDAP.php';

// The configuration array:
$config = array (
    'binddn'    => 'cn=admin,ou=users,dc=example,dc=org',
    'bindpw'    => 'password',
    'basedn'    => 'dc=example,dc=org',
    'host'      => 'ldap.example.org'
);

// Connecting using the configuration:
$ldap = Net_LDAP2::connect($config);

// Testing for connection error
if (PEAR::isError($ldap)) {
    die('Could not connect to LDAP-server: '.$ldap->getMessage());
}

#4


1  

@Stephen provided good points. Here is my plain PHP code to authenticate using AD:

@Stephen提供好点。下面是我使用AD验证的普通PHP代码:

  1. first you need to know this parameters: server host, user domain (you need also base dn if you want query AD).
  2. 首先,您需要知道这些参数:服务器主机、用户域(如果您想要查询AD,还需要基dn)。
  3. use the following code:

    使用下面的代码:

    $ldap = ldap_connect($host); // e.g. 165.5.54.6 or an URL
    ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // Recommended for AD
    ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
    $bind = ldap_bind($ldap, $username.'@'.$userDomain, $passwrod);
    
    if($bind){
    // successful authentication. 
    }
    

相关文章