如何使用可信域的憑證綁定到PHP中的AD服務器？

Question

我們有幾個AD服務器，它們之間建立了森林信任關係，因此來自不同域的Windows用戶可以訪問受限資源。假設我們有domainA.com和domainB.com，那麼來自域domainB.com的任何用戶都可以登錄到domainA.com上的資源。出於安全原因，管理員禁用匿名訪問LDAP服務器。

現在我們需要在OpenLDAP客戶端的幫助下，在我們的PHP代碼中列出來自所有LDAP服務器的所有用戶。下面是PHP代碼從domainB.com

define('USER', 'user@domainA.com'); // User from domainA.com here 
$ldap = ldap_connect('domainB.com') or die('Bad connection'); 
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); 
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); 
ldap_bind($ldap, USER, PASS) or die('Cannot bind'); 

得到所有用戶的信息我的腳本與死亡的消息「無法綁定」使用LDAP錯誤「49個證書無效」。從公元附加信息：
80090308：LdapErr：DSID-0C0903A9，註釋：AcceptSecurityContext錯誤，數據52E，v1db1

我覺得現在的問題是簡單的認證機制，因爲當我使用GSS的LDAP管理員協商身份驗證客戶端使用與user@domainA.com相同的憑據，一切正常。

如何使用user@domainA.com的憑證在domainB.com上成功綁定，該怎麼做？

UPD1與SASL DIGEST-MD5認證從公元

ldap_sasl_bind ($ldap, '', $pass, 'DIGEST-MD5', null, 'user@domainA.com'); 

日誌：

 
The computer attempted to validate the credentials for an account. 

Authentication Package: WDigest 
Logon Account: user 
Source Workstation: DOMAINA 
Error Code: 0xc000006a 

An account failed to log on. 

Subject: 
    Security ID:  NULL SID 
    Account Name:  - 
    Account Domain:  - 
    Logon ID:  0x0 

Logon Type:   3 

Account For Which Logon Failed: 
    Security ID:  NULL SID 
    Account Name:  user@domainA.com 
    Account Domain:  domainA.com 

Failure Information: 
    Failure Reason:  An Error occured during Logon. 
    Status:   0xc000006d 
    Sub Status:  0xc000006d 

Process Information: 
    Caller Process ID: 0x0 
    Caller Process Name: - 

Network Information: 
    Workstation Name: - 
    Source Network Address: 
    Source Port:   

Detailed Authentication Information: 
    Logon Process:  WDIGEST 
    Authentication Package: WDigest 
    Transited Services: - 
    Package Name (NTLM only): - 
    Key Length:  0 

This event is generated when a logon request fails. It is generated on the computer where access was attempted. 

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. 

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). 

The Process Information fields indicate which account and process on the system requested the logon. 

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. 

The authentication information fields provide detailed information about this specific logon request. 
    - Transited services indicate which intermediate services have participated in this logon request. 
    - Package name indicates which sub-protocol was used among the NTLM protocols. 

Answer 1

當您在ldap_bind specifiy用戶，可以嘗試把你的用戶DN如下：

$bind = ldap_bind($resource, 'cn=jpb,cn=users,dc=dom,dc=fr', '***'); 

另一件事，在您的'Active-Directory林'中，您有一個或多個支持名爲'全球目錄'（GC）的目錄的域控制器。 GC包含森林所有目錄的所有對象。

---

編輯 你可以嘗試使用SASL

$ldap = ldap_connect('domainB.com'); 
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); 
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); 
ldap_sasl_bind ($conn, NULL,"password",'DIGEST-MD5',NULL,'user@domainA.com',NULL); 

Answer 2

我的Moodle配置時遇到此問題，使用PHP LDAP庫和OpenLDAP綁定連接到AD服務器。該解決方案是相當簡單的，兩件事情，（這實際上只是歸結爲一件事）之一：

1. 使用無範圍的用戶名（即沒有「@ example.com」後的用戶名）
2. 使用域\用戶名

基本上，它的一件事就是獲得正確的，預期的用戶名語法。我認爲這取決於特定的AD配置，因爲我已經看到在各種AD服務器上有四種類型的用戶名可用：全DN，範圍用戶名（即看起來像電子郵件地址），DOMAIN \ username和普通用戶名。