1. 首页
  2. 问答
  3. LDAP/SSO Intranet解决方案

LDAP/SSO Intranet解决方案

2017-05-16 66 views
0

我们需要一个带有自动登录的Intranet解决方案。 绑定可以,但无法搜索ldap服务器。LDAP/SSO Intranet解决方案

是否可以在客户端上使用自动登录? 客户端知道我的用户名,Apache不知道它。

<?php 

$user_ldap_admin = 'XX'; 
$password_ldap_admin = 'XX'; 

$my_windows_username = 'XX'; // client -> server; auto send possible ?? 


$ldap = ldap_connect("XX.XX.com") 
    or die("no ldap connection"); 


if ($ldap) { 
    $ldapbind = ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin); 

    if ($ldapbind) { 
     echo "bind ok"; 
    } else { 
     echo "bind error"; 
    } 

} 


if($bind = @ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin)) { 

    $filter = "(sAMAccountName=" . $my_windows_username . ")"; 
    $attr = array("memberof","givenname"); 
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("unable to search LDAP"); 
    $entries = ldap_get_entries($ldap, $result); 
    $givenname = $entries[0]['givenname'][0]; 
    ldap_unbind($ldap); 

    foreach($entries[0]['memberof'] as $grps) { 
     if (strpos($grps, $ldap_manager_group)) { $access = 2; break; } 
     if (strpos($grps, $ldap_user_group)) $access = 1; 
    } 

    if ($access != 0) { 
     $_SESSION['user'] = $my_windows_username; 
     $_SESSION['access'] = $access; 
     $_SESSION['givenname'] = $givenname; 
     return true; 
    } else { 
     return false; 
    } 

} else { 
    return false; 
} 


?>

-

来源

2017-05-16 John Cooper

回答

0

的(快速'n脏)解决方案:

<html> 
<head> 
<meta http-equiv="content-type" content="text/html;charset=UTF-8"> 
</head> 
<body> 

<?php 

// step 1: get windows username 

$headers = apache_request_headers(); 

if (!isset($headers['Authorization'])){ 
    header('HTTP/1.1 401 Unauthorized'); 
    header('WWW-Authenticate: NTLM'); 
    exit; 
} 

$auth = $headers['Authorization']; 

if (substr($auth,0,5) == 'NTLM ') { 
    $msg = base64_decode(substr($auth, 5)); 
    if (substr($msg, 0, 8) != "NTLMSSP\x00") 
     die('error header not recognised'); 

    if ($msg[8] == "\x01") { 
     $msg2 = "NTLMSSP\x00\x02\x00\x00\x00". 
      "\x00\x00\x00\x00". // target name len/alloc 
      "\x00\x00\x00\x00". // target name offset 
      "\x01\x02\x81\x00". // flags 
      "\x00\x00\x00\x00\x00\x00\x00\x00". // challenge 
      "\x00\x00\x00\x00\x00\x00\x00\x00". // context 
      "\x00\x00\x00\x00\x00\x00\x00\x00"; // target info len/alloc/offset 

     header('HTTP/1.1 401 Unauthorized'); 
     header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2))); 
     exit; 
    } 
    else if ($msg[8] == "\x03") { 
     function get_msg_str($msg, $start, $unicode = true) { 
      $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]); 
      $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]); 
      if ($unicode) 
       return str_replace("\0", '', substr($msg, $off, $len)); 
      else 
       return substr($msg, $off, $len); 
     } 
     $windows_user = get_msg_str($msg, 36); 
     $domain = get_msg_str($msg, 28); 
     $workstation = get_msg_str($msg, 44); 

     print "$windows_user <br> $domain/$workstation<br><br>"; 
    } 
} 


// step 2: ldap search 

$ldap_user = '#####'; 
$windows_user = strtolower($windows_user); ; 
$password = '#####'; 

$ldap_dn = "ldap.domain.com"; 
$dn = "DC=domain,DC=com"; 



$ldap_conn = ldap_connect($ldap_dn) 
    or die("no ldap connection"); 

ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3); 
ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0); 

if($bind = @ldap_bind($ldap_conn, $ldap_user, $password)) { 

    $filter = "(sAMAccountName=" . $windows_user . ")"; 
    $attr = array("memberof","givenname","sn","mail"); 
    $result = ldap_search($ldap_conn, $dn, $filter, $attr) or exit("unable to search LDAP"); 
    $entries = ldap_get_entries($ldap_conn, $result); 
    $firstname = $entries[0]['givenname'][0]; 
    $lastname = $entries[0]['sn'][0]; 
    $mail = $entries[0]['mail'][0]; 
    $group = $entries[0]['memberof'][0]; 
    echo ''.$lastname.', '.$firstname.'<br>'; 
    echo ''.$mail.'<br>'; 
    echo ''.$group.'<br>'; 
    ldap_unbind($ldap_conn); 

    foreach($entries[0]['memberof'] as $grps) { 
     if (strpos($grps, $ldap_manager_group)) { $access = 2; break; } 
     if (strpos($grps, $ldap_user_group)) $access = 1; 
    } 

    if ($access != 0) { 
     $_SESSION['window_user'] = $windows_user; 
     $_SESSION['access'] = $access; 
     $_SESSION['givenname'] = $givenname; 
     return true; 
    } else { 
     return false; 
    } 

} else { 
    return false; 
} 


?> 


</body> 
</html>

来源

2017-05-17 13:10:16

0

如果你看到的东西完全自动的,尝试寻找在NTLM。

如果您需要SSO解决方案,请查看这些产品。它为您提供了一个连接用户的门户,并允许用户连接配置为与SSO交互的其他应用程序。

如果您不能或不想要这些解决方案,并且您可以修改您的客户端(不Web应用程序),您可以存储用户的身份,他的客户,并通过它在每个请求(标题,正文后等)

来源

2017-05-17 11:04:07 Esteban

+0

ntlm是“魔术字” –

相关问题

 相关问题