LDAP / SSO Intranet解决方案

时间:2017-05-16 14:37:43

标签: php ldap

我们需要一个具有自动登录功能的Intranet解决方案。 绑定没问题,但无法搜索ldap服务器。

是否可以在客户端上使用自动登录? 客户端知道我的用户名,apache不知道。

<?php

$user_ldap_admin  = 'XX';
$password_ldap_admin = 'XX';

$my_windows_username = 'XX'; // client -> server; auto send possible ??


$ldap = ldap_connect("XX.XX.com")
    or die("no ldap connection");   


if ($ldap) {
    $ldapbind = ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin);

    if ($ldapbind) {
        echo "bind ok";
    } else {
        echo "bind error";
    }

}


if($bind = @ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin)) {

    $filter = "(sAMAccountName=" . $my_windows_username . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("unable to search LDAP");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    ldap_unbind($ldap);

    foreach($entries[0]['memberof'] as $grps) {
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        $_SESSION['user'] = $my_windows_username;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        return false;
    }

} else {
    return false;
}


?>

-

2 个答案:

答案 0 :(得分:0)

如果您寻找完全自动的内容,请尝试查看NTLM。

如果您需要SSO解决方案,请查看这些产品。它为您提供了一个连接用户的门户,允许您用户连接配置为与SSO交互的其他应用程序

如果您不能/不想要这些解决方案中的任何一个并且您可以修改您的客户端(而不是Web应用程序),您可以将用户的身份存储在他的客户端中并将其传递给每个请求(标题,正文帖子等)

答案 1 :(得分:0)

(快速'脏)解决方案:

<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8">
</head>
<body>

<?php

// step 1: get windows username

$headers = apache_request_headers();

if (!isset($headers['Authorization'])){
    header('HTTP/1.1 401 Unauthorized');
    header('WWW-Authenticate: NTLM');
    exit;
}

$auth = $headers['Authorization'];

if (substr($auth,0,5) == 'NTLM ') {
    $msg = base64_decode(substr($auth, 5));
    if (substr($msg, 0, 8) != "NTLMSSP\x00")
        die('error header not recognised');

    if ($msg[8] == "\x01") {
        $msg2 = "NTLMSSP\x00\x02\x00\x00\x00".
            "\x00\x00\x00\x00". // target name len/alloc
            "\x00\x00\x00\x00". // target name offset
            "\x01\x02\x81\x00". // flags
            "\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
            "\x00\x00\x00\x00\x00\x00\x00\x00". // context
            "\x00\x00\x00\x00\x00\x00\x00\x00"; // target info len/alloc/offset

        header('HTTP/1.1 401 Unauthorized');
        header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
        exit;
    }
    else if ($msg[8] == "\x03") {
        function get_msg_str($msg, $start, $unicode = true) {
            $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
            $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
            if ($unicode)
                return str_replace("\0", '', substr($msg, $off, $len));
            else
                return substr($msg, $off, $len);
        }
        $windows_user = get_msg_str($msg, 36);
        $domain = get_msg_str($msg, 28);
        $workstation = get_msg_str($msg, 44);

        print "$windows_user <br> $domain/$workstation<br><br>";
    }
}


// step 2: ldap search

$ldap_user  = '#####';
$windows_user  = strtolower($windows_user); ;
$password = '#####';

$ldap_dn = "ldap.domain.com";
$dn = "DC=domain,DC=com";



$ldap_conn = ldap_connect($ldap_dn)
    or die("no ldap connection");   

ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);

if($bind = @ldap_bind($ldap_conn, $ldap_user, $password)) {

    $filter = "(sAMAccountName=" . $windows_user . ")";
    $attr = array("memberof","givenname","sn","mail");
    $result = ldap_search($ldap_conn, $dn, $filter, $attr) or exit("unable to search LDAP");
    $entries = ldap_get_entries($ldap_conn, $result);
    $firstname = $entries[0]['givenname'][0];
    $lastname = $entries[0]['sn'][0];
    $mail = $entries[0]['mail'][0];
    $group = $entries[0]['memberof'][0];
    echo ''.$lastname.', '.$firstname.'<br>';
    echo ''.$mail.'<br>';
    echo ''.$group.'<br>';
    ldap_unbind($ldap_conn);

    foreach($entries[0]['memberof'] as $grps) {
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        $_SESSION['window_user'] = $windows_user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        return false;
    }

} else {
    return false;
}


?>


</body>
</html>