我們有幾個AD服務器,它們之間建立了森林信任關係,因此來自不同域的Windows用戶可以訪問受限資源。假設我們有domainA.com和domainB.com,那麼來自域domainB.com的任何用戶都可以登錄到domainA.com上的資源。出於安全原因,管理員禁用匿名訪問LDAP服務器。如何使用可信域的憑證綁定到PHP中的AD服務器?
現在我們需要在OpenLDAP客戶端的幫助下,在我們的PHP代碼中列出來自所有LDAP服務器的所有用戶。下面是PHP代碼從domainB.com
define('USER', '[email protected]'); // User from domainA.com here
$ldap = ldap_connect('domainB.com') or die('Bad connection');
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_bind($ldap, USER, PASS) or die('Cannot bind');
得到所有用戶的信息我的腳本與死亡的消息「無法綁定」使用LDAP錯誤「49個證書無效」。從公元附加信息:
80090308:LdapErr:DSID-0C0903A9,註釋:AcceptSecurityContext錯誤,數據52E,v1db1
我覺得現在的問題是簡單的認證機制,因爲當我使用GSS的LDAP管理員協商身份驗證客戶端使用與[email protected]相同的憑據,一切正常。
如何使用[email protected]的憑證在domainB.com上成功綁定,該怎麼做?
UPD1與SASL DIGEST-MD5認證從公元
ldap_sasl_bind ($ldap, '', $pass, 'DIGEST-MD5', null, '[email protected]');
日誌:
The computer attempted to validate the credentials for an account. Authentication Package: WDigest Logon Account: user Source Workstation: DOMAINA Error Code: 0xc000006a An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: [email protected] Account Domain: domainA.com Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0xc000006d Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: Source Port: Detailed Authentication Information: Logon Process: WDIGEST Authentication Package: WDigest Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols.
我嘗試綁定與我的用戶DN「CN = user,OU =特殊用戶,DC = domainA,DC = com」,答案是「無效憑證」。全球目錄很有趣,但它對我也不適用。 – lisachenko
使用簡單綁定,您必須綁定DomainB目錄的用戶!您必須使用SALS與DomainA用戶綁定 – JPBlanc
PHP中有用於SASL綁定的ldap_sasl_bind()函數,但我找不到任何如何進行Kerberos或NTLM身份驗證的好示例。您有沒有使用PHP代碼進行SASL認證的經驗? – lisachenko