使用SSL验证LDAP / Active Directory登录

我最近为域名购买了SSL证书,我们称之为mydomain.com。 我有一个登录脚本,我用它来验证客户端的Active Directory服务。 我根本没有真正访问他们的服务器,虽然他们已经将我的服务器列入白名单,以便我可以验证他们的登录凭据是否正确。</ p>

假设客户输入他们的登录信息 网址 https://www.mydomain.com/login.php 上的信息。 我已经使用客户端提供的测试帐户测试了我编写的PHP脚本,并且它可以正确识别所提供的用户名/密码组合是否正确。 但是,登录信息真的</ em>是否在发送时被加密? 我是否需要访问客户端AD服务器上的证书以确保登录安全? 据我所知,由于我是将信息发送给客户端的人,并且我有SSL证书,因此登录信息应该加密。 我假设AD服务器发送给我的所有内容基本上都是关于凭据是否正确的真/假响应,这不应该要求加密。</ p>

我的理解是 这个过程对吗? 我真的很感激你能提供的任何见解。 谢谢!</ p>
</ div>

展开原文

原文

I recently purchased an SSL certificate for a domain, let's call it mydomain.com. I have a login script which I'm using to authenticate against a client's Active Directory service. I have no real access to their server at all, although they have whitelisted my server so that I can verify whether their login credentials are correct or not.

Let's say that the clients enter their login info on a page with URL https://www.mydomain.com/login.php. I have tested the PHP script which I have written using a test account provided by the client, and it does correctly identify whether or not the provided username/password combination is correct. However, is the login information really being encrypted as it is sent? Do I need access to a certificate on my client's AD server to make sure that the login is secure? As I understand it, since I'm the one sending the information to the client, and I have an SSL certificate in place, the login information should be encrypted. I am assuming that all that the AD server is sending to me is basically a true/false response on whether or not the credentials are correct, which should not require encryption.

Is my understanding of this process correct? I'd genuinely appreciate any insight you could provide. Thanks!

1个回答

Here is the picture I get from you question

web browser --(1)--> your-domian.com --(2)--> your client's AD server

So you have purchased an SSL certificate for your-domain.com, so connection (1) is over SSL and all data is encrypted. However this speaks nothing about the connection to the AD server.

Connection (2) may be over SSL, TLS or be plain connection. In other words you need to check what your login.php is doing behind the scenes to authenticate in AD. If the connection it uses is SSL or TLS your data is encrypted on that stage, otherwise it is not.

So you are correct only in half. The data between the browser and your domain is encrypted, but the data between your domain and the AD server may or may not be.

duanlinzhen7235
duanlinzhen7235 谢谢,你的答案对我有意义。 我很感激回应。
大约 7 年之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问