douzai9405 2018-11-20 12:01
浏览 74

在IdentityPool下使用PHP CGI的内置IIS AD身份验证

I have a PHP website running as an App on IIS.

The app is using a specific Identity that runs all php-cgi.exe processes under NetworkService user that has access to the AD server.

There's also another .NET app in the IIS where it's using the same identity and can log into the AD using the class System.Web.Security.FormsAuthentication and uses Forms Authentication in the Authentication settings in IIS. I tried copying the settings over but to no avail.

The .NET code:

...
using System.Web.Security.Membership.ValidateUser;
...

public ActionResult Login(Login model, string route)
{
    if (Membership.ValidateUser(model.Username, model.Password)) {
        FormsAuthentication.SetAuthCookie(model.Username);
        return Redirect(route);
    }

    return RedirectHome();
}

My code running on IIS with PHP CGI, impersonate is on on IIS level and php.ini level:

public function login()
{
    $ldapHost = 'ldap://spacemudd-ad';

    // PHP should use server's (iis) credentials when connecting. (impersonate)
    $connection = ldap_connect($ldapHost);

    // This always fails.
    //
    // "ldap_bind(): Unable to bind to server: Can't contact LDAP server"
    //
    // I believe due to the php-cgi.exe not sending the request
    // to the AD server through the IdentityPool's user (NetworkService)
    // even though in the TaskManager, the php-cgi.exe shows the owner is
    // NetworkService?
    //
    $ldapBind = ldap_bind($connection);

    // TODO: Search the AD directory for the user to be authenticated.
}

php.ini configuration:

fastcgi.impersonate = 1

ref. questions:

Update 24-11-2018: The sysadmin gave me these information:

config.md:

 <add name="ADConnectionString" connectionString="LDAP://spacelantern-central/DC=spacelantern,DC=com" />

    <membership defaultProvider="ADMembershipProvider">
      <providers>
        <clear />
        <add name="ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

code.md:

if (Membership.ValidateUser("userid", "password"))
{
    // 
}
  • 写回答

1条回答 默认 最新

  • dongxiao_0528 2018-11-20 16:38
    关注

    I suspect you have two problems. First, this:

    ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, $ldapPort);

    What is the value in $ldapPort? The name of that variable suggests that it contains the TCP port to connect to, but that is not what LDAP_OPT_PROTOCOL_VERSION is for.

    LDAP_OPT_PROTOCOL_VERSION is for the LDAP version to use when communicating. For AD, you can set it to 3, since AD supports LDAPv3:

    ldap_set_option($connection, LDAP_OPT_PROTOCOL_VERSION, 3);

    Second, if you need to connect to a different port than the default (389), then you need to pass it in the call to ldap_connect:

    $connection = @ldap_connect($ldapHost, $ldapPort);
    评论

报告相同问题?

悬赏问题

  • ¥15 在获取boss直聘的聊天的时候只能获取到前40条聊天数据
  • ¥20 关于URL获取的参数,无法执行二选一查询
  • ¥15 液位控制,当液位超过高限时常开触点59闭合,直到液位低于低限时,断开
  • ¥15 marlin编译错误,如何解决?
  • ¥15 有偿四位数,节约算法和扫描算法
  • ¥15 VUE项目怎么运行,系统打不开
  • ¥50 pointpillars等目标检测算法怎么融合注意力机制
  • ¥20 Vs code Mac系统 PHP Debug调试环境配置
  • ¥60 大一项目课,微信小程序
  • ¥15 求视频摘要youtube和ovp数据集