2

我们正在尝试实现一个集成了 AD 和 PHP Web 应用程序的单点登录解决方案。当用户尝试访问 Intranet 网站时,应该会发生以下情况:

  • Web 应用程序要求服务器读取存储在已登录 Windows/AD 的用户计算机中的 AD 凭据。
  • AD“将 AD 用户名传递给 Apache”
  • 使用 PHP,我读取了存储在 $_SERVER['PHP_AUTH_USER'] 中的凭据 - 据我所知

这一切都意味着只能在 Intranet 中工作。在它之外,我们只显示一个登录表单。

我们对这个过程有些困惑。从其他 来源,我们使用以下指令配置 Apache,但最终不成功,带有内部服务器错误消息并且错误日志中没有任何内容。

<Location "/">
    Options -Indexes MultiViews FollowSymLinks
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "VALIDAUTHNAME"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative   Off
    AuthLDAPURL "ldap://IP.FOR.THE.SERVER:389/DC=MYCOMPANY,DC=CL?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "DC=MYCOMPANY,DC=MYCOUNTRY"
    Require ldap-attribute gidNumber=10000
</Location>

对我们必须实施的流程有明确的解释吗?我们已经阅读了很多关于逆过程、将凭据传递给 AD 的内容,但关于这个案例的内容并不多。我们的系统管理员在这方面并没有真正的经验,所以他们没有多大帮助。

4

1 回答 1

1

A few months ago, I did exatly what you're trying to do with mod_auth_nltm_winbind. The configuration of it isn't very difficult, but it helps to be familiar with winbind. Your sysadmins should be able to help with that if you aren't. winbind is a part of the samba package, so it's probably already installed on your server. Once you get winbind set up, you just need to enable the apache module and do a little bit of configuration. The site for the module should be able to guide you through it. When I originally set this up, I tested it with IE8, Chrome, and an older version of Firefox (5 or 6 maybe) and they all natively support the NTLM authentication. If everything is configured and working correctly, the apache module will automagically fill $_SERVER['PHP_AUTH_USER'] with the user name without needing any interaction with the user and you can do whatever you want to with it from there. There is a lot more documentation available now and even with the lacking documentation before, I only had one major problem for which a fix is now well documented.

于 2013-01-31T21:57:29.023 回答