通过活动目录使用LDAP对PHP进行身份验证

时间:2022-01-13 02:57:32

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?

我正在寻找一种方法,通过使用PHP(活动目录是提供者)的LDAP对用户进行身份验证。理想情况下,它应该能够在IIS 7上运行(adLDAP在Apache上运行)。有人做过类似的事情吗?

  • Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.
  • 编辑:我更喜欢有代码的库/类。如果有人已经发明了*,那就太愚蠢了。

6 个解决方案

#1

148  

Importing a whole library seems inefficient when all you need is essentially two lines of code...

当您所需要的只是两行代码时,导入整个库看起来是低效的。

$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}

#2

12  

You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:

您可能认为,简单地在Active Directory中对用户进行身份验证,将是一个非常简单的过程,在PHP中使用LDAP而不需要一个库。但是有很多事情会让它变得非常复杂:

  • You must validate input. An empty username/password would pass otherwise.
  • 你必须验证输入。否则将传递一个空的用户名/密码。
  • You should ensure the username/password is properly encoded when binding.
  • 您应该确保在绑定时正确编码用户名/密码。
  • You should be encrypting the connection using TLS.
  • 您应该使用TLS加密连接。
  • Using separate LDAP servers for redundancy in case one is down.
  • 使用独立的LDAP服务器进行冗余,以防其中一个服务器出现故障。
  • Getting an informative error message if authentication fails.
  • 如果身份验证失败,则获取信息错误消息。

It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more). It can be used like the following:

在大多数情况下,使用支持上述功能的LDAP库实际上更容易。最后,我开发了自己的库,它可以处理上述所有要点:LdapTools(好吧,它不仅可以用于身份验证,还可以做更多的事情)。它的用法如下:

use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;

$domain = (new DomainConfiguration('example.com'))
    ->setUsername('username') # A separate AD service account used by your app
    ->setPassword('password')
    ->setServers(['dc1', 'dc2', 'dc3'])
    ->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);

if (!$ldap->authenticate($username, $password, $message)) {
    echo "Error: $message";
} else {
    // Do something...
}

The authenticate call above will:

上述验证调用将:

  • Validate that neither the username or password is empty.
  • 验证用户名或密码是否为空。
  • Ensure the username/password is properly encoded (UTF-8 by default)
  • 确保用户名/密码正确编码(默认为UTF-8)
  • Try an alternate LDAP server in case one is down.
  • 尝试另一个LDAP服务器,以防其中一个出现故障。
  • Encrypt the authentication request using TLS.
  • 使用TLS加密身份验证请求。
  • Provide additional information if it failed (ie. locked/disabled account, etc)
  • 如果失败,提供额外的信息。锁定/禁用帐户等)

There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.

还有其他库也可以这样做(比如Adldap2)。然而,我感到有必要提供一些额外的信息,因为大多数向上投票的答案实际上是在没有进行输入验证和不使用TLS的情况下所依赖的安全风险。

#3

11  

I do this simply by passing the user credentials to ldap_bind().

我只需将用户凭证传递给ldap_bind()。

http://php.net/manual/en/function.ldap-bind.php

http://php.net/manual/en/function.ldap-bind.php

If the account can bind to LDAP, it's valid; if it can't, it's not. If all you're doing is authentication (not account management), I don't see the need for a library.

如果帐户可以绑定到LDAP,那么它是有效的;如果不能,那就不是。如果您所做的只是身份验证(而不是帐户管理),那么我不认为需要使用库。

#4

8  

I like the Zend_Ldap Class, you can use only this class in your project, without the Zend Framework.

我喜欢Zend_Ldap类,您只能在项目中使用这个类,而不能使用Zend框架。

#5

6  

PHP has libraries: http://ca.php.net/ldap

PHP库:http://ca.php.net/ldap

PEAR also has a number of packages: http://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0

PEAR还有一些包:http://pear.php.net/search.php?

I haven't used either, but I was going to at one point and they seemed like they should work.

我还没用过,但有一次我打算用,他们似乎应该用。

#6

5  

For those looking for a complete example check out http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/.

想要了解完整的示例,请查看http://www.exchangecore.com/blog/how-use-ldap- activedirectoryauthentic-php/。

I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server (IIS6) and from a windows server 2012 enterprise running IIS 8.

我已经从一个Windows Server 2003 Web服务器(IIS6)和一个运行IIS 8的Windows Server 2012 enterprise上测试了连接到Windows Server 2003和Windows Server 2008 R2域控制器。

#1

148  

Importing a whole library seems inefficient when all you need is essentially two lines of code...

当您所需要的只是两行代码时,导入整个库看起来是低效的。

$ldap = ldap_connect("ldap.example.com");
if ($bind = ldap_bind($ldap, $_POST['username'], $_POST['password'])) {
  // log them in!
} else {
  // error message
}

#2

12  

You would think that simply authenticating a user in Active Directory would be a pretty simple process using LDAP in PHP without the need for a library. But there are a lot of things that can complicate it pretty fast:

您可能认为,简单地在Active Directory中对用户进行身份验证,将是一个非常简单的过程,在PHP中使用LDAP而不需要一个库。但是有很多事情会让它变得非常复杂:

  • You must validate input. An empty username/password would pass otherwise.
  • 你必须验证输入。否则将传递一个空的用户名/密码。
  • You should ensure the username/password is properly encoded when binding.
  • 您应该确保在绑定时正确编码用户名/密码。
  • You should be encrypting the connection using TLS.
  • 您应该使用TLS加密连接。
  • Using separate LDAP servers for redundancy in case one is down.
  • 使用独立的LDAP服务器进行冗余,以防其中一个服务器出现故障。
  • Getting an informative error message if authentication fails.
  • 如果身份验证失败,则获取信息错误消息。

It's actually easier in most cases to use a LDAP library supporting the above. I ultimately ended up rolling my own library which handles all the above points: LdapTools (Well, not just for authentication, it can do much more). It can be used like the following:

在大多数情况下,使用支持上述功能的LDAP库实际上更容易。最后,我开发了自己的库,它可以处理上述所有要点:LdapTools(好吧,它不仅可以用于身份验证,还可以做更多的事情)。它的用法如下:

use LdapTools\Configuration;
use LdapTools\DomainConfiguration;
use LdapTools\LdapManager;

$domain = (new DomainConfiguration('example.com'))
    ->setUsername('username') # A separate AD service account used by your app
    ->setPassword('password')
    ->setServers(['dc1', 'dc2', 'dc3'])
    ->setUseTls(true);
$config = new Configuration($domain);
$ldap = new LdapManager($config);

if (!$ldap->authenticate($username, $password, $message)) {
    echo "Error: $message";
} else {
    // Do something...
}

The authenticate call above will:

上述验证调用将:

  • Validate that neither the username or password is empty.
  • 验证用户名或密码是否为空。
  • Ensure the username/password is properly encoded (UTF-8 by default)
  • 确保用户名/密码正确编码(默认为UTF-8)
  • Try an alternate LDAP server in case one is down.
  • 尝试另一个LDAP服务器,以防其中一个出现故障。
  • Encrypt the authentication request using TLS.
  • 使用TLS加密身份验证请求。
  • Provide additional information if it failed (ie. locked/disabled account, etc)
  • 如果失败,提供额外的信息。锁定/禁用帐户等)

There are other libraries to do this too (Such as Adldap2). However, I felt compelled enough to provide some additional information as the most up-voted answer is actually a security risk to rely on with no input validation done and not using TLS.

还有其他库也可以这样做(比如Adldap2)。然而,我感到有必要提供一些额外的信息,因为大多数向上投票的答案实际上是在没有进行输入验证和不使用TLS的情况下所依赖的安全风险。

#3

11  

I do this simply by passing the user credentials to ldap_bind().

我只需将用户凭证传递给ldap_bind()。

http://php.net/manual/en/function.ldap-bind.php

http://php.net/manual/en/function.ldap-bind.php

If the account can bind to LDAP, it's valid; if it can't, it's not. If all you're doing is authentication (not account management), I don't see the need for a library.

如果帐户可以绑定到LDAP,那么它是有效的;如果不能,那就不是。如果您所做的只是身份验证(而不是帐户管理),那么我不认为需要使用库。

#4

8  

I like the Zend_Ldap Class, you can use only this class in your project, without the Zend Framework.

我喜欢Zend_Ldap类,您只能在项目中使用这个类,而不能使用Zend框架。

#5

6  

PHP has libraries: http://ca.php.net/ldap

PHP库:http://ca.php.net/ldap

PEAR also has a number of packages: http://pear.php.net/search.php?q=ldap&in=packages&x=0&y=0

PEAR还有一些包:http://pear.php.net/search.php?

I haven't used either, but I was going to at one point and they seemed like they should work.

我还没用过,但有一次我打算用,他们似乎应该用。

#6

5  

For those looking for a complete example check out http://www.exchangecore.com/blog/how-use-ldap-active-directory-authentication-php/.

想要了解完整的示例,请查看http://www.exchangecore.com/blog/how-use-ldap- activedirectoryauthentic-php/。

I have tested this connecting to both Windows Server 2003 and Windows Server 2008 R2 domain controllers from a Windows Server 2003 Web Server (IIS6) and from a windows server 2012 enterprise running IIS 8.

我已经从一个Windows Server 2003 Web服务器(IIS6)和一个运行IIS 8的Windows Server 2012 enterprise上测试了连接到Windows Server 2003和Windows Server 2008 R2域控制器。

标签:

相关文章