我需要得到更多的了解有关SSO关于对Active Directory中的Web应用程序。
I need to get more understanding about SSO on a web app against Active Directory.
有关简单地要求用户登录验证对AD,我知道我可以使用一些库,例如 Zend_Ldap
, adLdap
等。但在这种情况下,用户仍然需要两次输入登录。
例如:Authenticate对Active Directory / ISA从PHP
For simply ask the user the login to authenticate on AD, I know that I can use some libraries like Zend_Ldap
, adLdap
and so on. But in this case, the user still need to type the login twice.
For example: Authenticate against Active Directory/ISA from php
AFAIK,使用 SSO
为透明登录
,我需要实现额外的Apache模块。
例如:
How我使用微软的AD和php单点登录的Web应用程序?
Afaik, to use SSO
for transparent login
, I need to implement an extra apache module.
For example:
How do I use Microsoft AD and php single sign on web app?
Authenticate对使用PHP,活动目录LDAP,而使用IE / Firefox的
首先,我需要知道我需要使用以及为什么这Apache模块。
在这篇文章例如有三种: mod_ntlm
, mod_auth_kerb所
和的Apache2:AuthenNTLM
。
而thosed一个是的Apache2:AuthenNTLM
First I need to know which apache module I need to use and why.
In this article for example there are three: mod_ntlm
, mod_auth_kerb
and Apache2:AuthenNTLM
.
And the thosed one was Apache2:AuthenNTLM
在question上述接受的答案是描述为 mod_auth_sspi
。
In the question described above the accepted answer was for mod_auth_sspi
.
在说当有关Active Directory I've得到这个答案,它描述了活动目录为 LDAP
+ 的Kerberos实施
+其他几个杂的点点滴滴。
When talking about Active Directory I've got this answer, which describes active directory as an implementation of ldap
+ kerberos
+ "a few other miscellaneous bits and pieces".
我很困惑,所有这些名字,因为我已经nerver与它的工作。
有人可以明确给我呢? ( LDAP
,的Kerberos
, NTLM
, SSPI
等)
I'm very confused about all these names, since I've nerver worked with it.
Can someone clarify it to me? (ldap
, kerberos
, ntlm
, sspi
etc)
最后,有人可以点我如何应用程序识别身份验证的用户(从公元)。难道只是通过了somethink像 $用户名_ SERVER ['REMOTE_USER']
?任何密码发送?如何在浏览器发送这些额外的头?是否有需要在每个工作站做?任何本地配置。
Finally, can someone point me to how the app recognize the authenticated user (from AD). Is it just by the username passed with somethink like $_SERVER['REMOTE_USER']
? Any password is sent? How does the browser send this extra headers? Is there any local configuration that need to be done in each workstation?
推荐答案
认证是一个混乱的烂摊子。下面是一些背景。
Authentication is a confusing mess. Here is some background.
LDAP:LDAP是一种协议,通信用户的目录信息。它也可以处理认证,但它不是无缝(SSO)的
LDAP: LDAP is a protocol for communicating user directory information. It can also handle authentication, but it is not seamless (SSO).
NTLM:NTLM是内置IE浏览器,的ActiveDirectory和IIS微软的SSO。 NTLM的原始版本是非常不安全的,以便NTLMv2的实施,以修复NTLM安全问题。原来NTLM在Windows Vista中默认情况下禁用及更高版本。
NTLM: NTLM is Microsoft's SSO built into IE, ActiveDirectory and IIS. The original version of NTLM is very insecure so NTLMv2 was implemented to fix the security issues in NTLM. The original NTLM is disabled by default in Windows Vista and later.
的Kerberos:Kerberos是一个开放的标准,这是非常安全的,旨在提供无缝(SSO)认证。 ActiveDirectory的支持Kerberos版本。
Kerberos: Kerberos is an open standard that is very secure and is designed to offer seamless (SSO) Authentication. ActiveDirectory supports a version of Kerberos.
至于可用于实现这些协议的Apache模块,则包含其中的一个pretty的良好列表
As far as the Apache modules that can be used to implement these protocols, you included a pretty good list of them.
mod_ntlm:这是一个运行在Linux,并支持原NTLM(不NTLMv2身份)Apache模块
mod_ntlm: This is an Apache module that runs on Linux and supports the original NTLM (not NTLMv2).
mod_auth_kerb所:这是一个实现Kerberos的Apache模块
mod_auth_kerb: This is an Apache module that implements Kerberos.
mod_auth_sspi:这是Windows支持原来的NTLM(不NTLMv2身份)Apache模块
mod_auth_sspi: This is an Apache module for Windows that supports the original NTLM (not NTLMv2).
的Apache2:AuthenNTLM:这是处理NTLM的Perl模块。我不知道它是否支持NTLM和NTLMv2。
Apache2:AuthenNTLM: This is a Perl module that handles NTLM. I don't know if it supports NTLM and NTLMv2.
mod_auth_ntlm_winbind:这是一个与Samba的认证接口的Apache模块。
mod_auth_ntlm_winbind: This is an Apache module that interfaces with Samba's authentication.
相关推荐
最新文章