我无法让phpBB通过我们的Active Directory进行身份验证

时间:2023-02-04 22:23:48

I am pretty sure that the settings that I am using are correct, so all possible things can be wrong which I should check out so that I can make authentication with our Active Directory work.

我很确定我使用的设置是正确的,所以我应该检查所有可能的错误,以便我可以使用我们的Active Directory工作进行身份验证。

4 个解决方案

#1


1  

Try test if PHP can connect to active directory

如果PHP可以连接到活动目录,请尝试测试

<?php
$ds = ldap_connect('host.ad.lan', 389);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_bind($ds, 'admin@ad.lan', 'xxx');
$sr = ldap_search($ds, 'CN=Cameron Zemek,OU=Users,OU=BRC,DC=ad,DC=lan', '(objectclass=*)', array('cn'));
$entryID = ldap_first_entry($ds, $sr);
$data = ldap_get_attributes($ds, $entryID);
print_r($data);
ldap_close($ds);

What do you have has your $config['ldap_user'] and $config['ldap_uid'] ? You want to set $config['ldap_uid'] to sAMAccountName

你的$ config ['ldap_user']和$ config ['ldap_uid']你有什么?您想将$ config ['ldap_uid']设置为sAMAccountName

#2


1  

There is a trick to do activeDirectory auth with phpbb3. You should:

有一个技巧可以用phpbb3做activeDirectory auth。你应该:

  • make an account in phpBB with a name identical to some AD-name
  • 在phpBB中创建一个名称与某个AD名称相同的帐户

  • give this account admin/founder rights in phpBB
  • 在phpBB中为此帐户授予admin / founder权限

  • login with this account
  • 使用此帐户登录

  • set up auth parameters from within this account
  • 从此帐户中设置auth参数

By the way, what error messages do you get from phpBB?

顺便说一句,你从phpBB得到什么错误消息?

#3


0  

@grom... thanks but, yes PHP is working just fine. I have a WordPress and a MediaWiki installation on the same server, and they are both authenticating against the same active directory just fine.

@grom ...谢谢,但是,PHP工作得很好。我在同一台服务器上安装了一个WordPress和一个MediaWiki,它们都可以对同一个活动目录进行身份验证。

#4


0  

phpBB3 does not offer much info about how to enable LDAPS, so I hope this helps someone...

phpBB3没有提供有关如何启用LDAPS的更多信息,所以我希望这可以帮助某人......

Note that you may need to actually clear all phpBB3 cookies immediately after the base installation. This will allow the admin user to see the ACP. Once you are able to consistently log into phpBB3 as an admin, and want to enable LDAPS authentication, do the following (tested with AD and Debian stretch):

请注意,您可能需要在基本安装后立即清除所有phpBB3 cookie。这将允许管理员用户查看ACP。一旦您能够以管理员身份一直登录phpBB3并想要启用LDAPS身份验证,请执行以下操作(使用AD和Debian测试拉伸):

  • Obtain the root TLS certificate from your AD/LDAP Administrator, or get it yourself with something like:

    从AD / LDAP管理员处获取根TLS证书,或者使用以下内容自行获取:

    # openssl s_client -showcerts -connect google.com:443

    #openssl s_client -showcerts -connect google.com:443

See the MediaWiki documentation, as phpBB3 docs are quite sparse: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements

请参阅MediaWiki文档,因为phpBB3文档非常稀疏:https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements

  • Install the PEM formatted certificate with a .crt name into your OS certificate store. For Debian based systems, that would be /usr/local/share/ca-certificates then run # dpkg-reconfigure ca-certificates

    将带有.crt名称的PEM格式的证书安装到OS证书库中。对于基于Debian的系统,那就是/ usr / local / share / ca-certificates然后运行#dpkg-reconfigure ca-certificates

  • Configure /etc/ldap/ldap.conf to your local settings. Note that port 3268 may not have in-built limits like 686 with AD. YMMV.

    将/etc/ldap/ldap.conf配置为本地设置。请注意,端口3268可能没有内置限制,如带有AD的686。因人而异。

  • Create a special AD user for binding. Give it permissions to lookup, but not to change, attributes. Confirm that the credentials work with ldapsearch. eg: ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b "dc=mydomain,dc=com" searchString

    创建一个特殊的AD用户进行绑定。赋予它查找但不更改属性的权限。确认凭据与ldapsearch一起使用。例如:ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b“dc = mydomain,dc = com”searchString

  • Create a phpBB3 user with the same username as the above AD bind user. As the phpBB3 admin, grant the AD bind user Founder permissions.

    使用与上述AD绑定用户相同的用户名创建phpBB3用户。作为phpBB3管理员,授予AD绑定用户方正权限。

  • Using a different browser, log into phpBB3 as the binduser, then set up the LDAP Authentication as that user. (As noted in the above post).

    使用不同的浏览器,以binduser身份登录phpBB3,然后以该用户身份设置LDAP身份验证。 (如上文所述)。

  • Test it! Logout of phpBB3 and then login again using the LDAP/AD credentials.

    测试一下!注销phpBB3,然后使用LDAP / AD凭据再次登录。

If that does not work, the PHP dev documentation is quite good, and offers many comments with examples and example code to try.

如果这不起作用,PHP开发文档非常好,并提供许多注释,包含示例和示例代码。

#1


1  

Try test if PHP can connect to active directory

如果PHP可以连接到活动目录,请尝试测试

<?php
$ds = ldap_connect('host.ad.lan', 389);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_bind($ds, 'admin@ad.lan', 'xxx');
$sr = ldap_search($ds, 'CN=Cameron Zemek,OU=Users,OU=BRC,DC=ad,DC=lan', '(objectclass=*)', array('cn'));
$entryID = ldap_first_entry($ds, $sr);
$data = ldap_get_attributes($ds, $entryID);
print_r($data);
ldap_close($ds);

What do you have has your $config['ldap_user'] and $config['ldap_uid'] ? You want to set $config['ldap_uid'] to sAMAccountName

你的$ config ['ldap_user']和$ config ['ldap_uid']你有什么?您想将$ config ['ldap_uid']设置为sAMAccountName

#2


1  

There is a trick to do activeDirectory auth with phpbb3. You should:

有一个技巧可以用phpbb3做activeDirectory auth。你应该:

  • make an account in phpBB with a name identical to some AD-name
  • 在phpBB中创建一个名称与某个AD名称相同的帐户

  • give this account admin/founder rights in phpBB
  • 在phpBB中为此帐户授予admin / founder权限

  • login with this account
  • 使用此帐户登录

  • set up auth parameters from within this account
  • 从此帐户中设置auth参数

By the way, what error messages do you get from phpBB?

顺便说一句,你从phpBB得到什么错误消息?

#3


0  

@grom... thanks but, yes PHP is working just fine. I have a WordPress and a MediaWiki installation on the same server, and they are both authenticating against the same active directory just fine.

@grom ...谢谢,但是,PHP工作得很好。我在同一台服务器上安装了一个WordPress和一个MediaWiki,它们都可以对同一个活动目录进行身份验证。

#4


0  

phpBB3 does not offer much info about how to enable LDAPS, so I hope this helps someone...

phpBB3没有提供有关如何启用LDAPS的更多信息,所以我希望这可以帮助某人......

Note that you may need to actually clear all phpBB3 cookies immediately after the base installation. This will allow the admin user to see the ACP. Once you are able to consistently log into phpBB3 as an admin, and want to enable LDAPS authentication, do the following (tested with AD and Debian stretch):

请注意,您可能需要在基本安装后立即清除所有phpBB3 cookie。这将允许管理员用户查看ACP。一旦您能够以管理员身份一直登录phpBB3并想要启用LDAPS身份验证,请执行以下操作(使用AD和Debian测试拉伸):

  • Obtain the root TLS certificate from your AD/LDAP Administrator, or get it yourself with something like:

    从AD / LDAP管理员处获取根TLS证书,或者使用以下内容自行获取:

    # openssl s_client -showcerts -connect google.com:443

    #openssl s_client -showcerts -connect google.com:443

See the MediaWiki documentation, as phpBB3 docs are quite sparse: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements

请参阅MediaWiki文档,因为phpBB3文档非常稀疏:https://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements

  • Install the PEM formatted certificate with a .crt name into your OS certificate store. For Debian based systems, that would be /usr/local/share/ca-certificates then run # dpkg-reconfigure ca-certificates

    将带有.crt名称的PEM格式的证书安装到OS证书库中。对于基于Debian的系统,那就是/ usr / local / share / ca-certificates然后运行#dpkg-reconfigure ca-certificates

  • Configure /etc/ldap/ldap.conf to your local settings. Note that port 3268 may not have in-built limits like 686 with AD. YMMV.

    将/etc/ldap/ldap.conf配置为本地设置。请注意,端口3268可能没有内置限制,如带有AD的686。因人而异。

  • Create a special AD user for binding. Give it permissions to lookup, but not to change, attributes. Confirm that the credentials work with ldapsearch. eg: ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b "dc=mydomain,dc=com" searchString

    创建一个特殊的AD用户进行绑定。赋予它查找但不更改属性的权限。确认凭据与ldapsearch一起使用。例如:ldapsearch -x -LLL -h ad.mydomain.com -D binduser -W -z 30 -b“dc = mydomain,dc = com”searchString

  • Create a phpBB3 user with the same username as the above AD bind user. As the phpBB3 admin, grant the AD bind user Founder permissions.

    使用与上述AD绑定用户相同的用户名创建phpBB3用户。作为phpBB3管理员,授予AD绑定用户方正权限。

  • Using a different browser, log into phpBB3 as the binduser, then set up the LDAP Authentication as that user. (As noted in the above post).

    使用不同的浏览器,以binduser身份登录phpBB3,然后以该用户身份设置LDAP身份验证。 (如上文所述)。

  • Test it! Logout of phpBB3 and then login again using the LDAP/AD credentials.

    测试一下!注销phpBB3,然后使用LDAP / AD凭据再次登录。

If that does not work, the PHP dev documentation is quite good, and offers many comments with examples and example code to try.

如果这不起作用,PHP开发文档非常好,并提供许多注释,包含示例和示例代码。