douchunji1885 2017-05-16 14:37
浏览 55
已采纳

LDAP / SSO Intranet解决方案

We need an Intranet Solution with Auto Login. Binding is ok, but it is unable to search the ldap server.

Is it possible to use a autologin on the client? The client knows my username, the apache dont know it.

<?php

$user_ldap_admin  = 'XX';
$password_ldap_admin = 'XX';

$my_windows_username = 'XX'; // client -> server; auto send possible ??


$ldap = ldap_connect("XX.XX.com")
    or die("no ldap connection");   


if ($ldap) {
    $ldapbind = ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin);

    if ($ldapbind) {
        echo "bind ok";
    } else {
        echo "bind error";
    }

}


if($bind = @ldap_bind($ldap, $user_ldap_admin, $password_ldap_admin)) {

    $filter = "(sAMAccountName=" . $my_windows_username . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("unable to search LDAP");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];
    ldap_unbind($ldap);

    foreach($entries[0]['memberof'] as $grps) {
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
        if (strpos($grps, $ldap_user_group)) $access = 1;
    }

    if ($access != 0) {
        $_SESSION['user'] = $my_windows_username;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        return false;
    }

} else {
    return false;
}


?>

-

  • 写回答

2条回答 默认 最新

  • doujupa7567 2017-05-17 13:10
    关注

    the (quick ´n dirty) solution:

    <html>
    <head>
    <meta http-equiv="content-type" content="text/html;charset=UTF-8">
    </head>
    <body>
    
    <?php
    
    // step 1: get windows username
    
    $headers = apache_request_headers();
    
    if (!isset($headers['Authorization'])){
        header('HTTP/1.1 401 Unauthorized');
        header('WWW-Authenticate: NTLM');
        exit;
    }
    
    $auth = $headers['Authorization'];
    
    if (substr($auth,0,5) == 'NTLM ') {
        $msg = base64_decode(substr($auth, 5));
        if (substr($msg, 0, 8) != "NTLMSSP\x00")
            die('error header not recognised');
    
        if ($msg[8] == "\x01") {
            $msg2 = "NTLMSSP\x00\x02\x00\x00\x00".
                "\x00\x00\x00\x00". // target name len/alloc
                "\x00\x00\x00\x00". // target name offset
                "\x01\x02\x81\x00". // flags
                "\x00\x00\x00\x00\x00\x00\x00\x00". // challenge
                "\x00\x00\x00\x00\x00\x00\x00\x00". // context
                "\x00\x00\x00\x00\x00\x00\x00\x00"; // target info len/alloc/offset
    
            header('HTTP/1.1 401 Unauthorized');
            header('WWW-Authenticate: NTLM '.trim(base64_encode($msg2)));
            exit;
        }
        else if ($msg[8] == "\x03") {
            function get_msg_str($msg, $start, $unicode = true) {
                $len = (ord($msg[$start+1]) * 256) + ord($msg[$start]);
                $off = (ord($msg[$start+5]) * 256) + ord($msg[$start+4]);
                if ($unicode)
                    return str_replace("\0", '', substr($msg, $off, $len));
                else
                    return substr($msg, $off, $len);
            }
            $windows_user = get_msg_str($msg, 36);
            $domain = get_msg_str($msg, 28);
            $workstation = get_msg_str($msg, 44);
    
            print "$windows_user <br> $domain/$workstation<br><br>";
        }
    }
    
    
    // step 2: ldap search
    
    $ldap_user  = '#####';
    $windows_user  = strtolower($windows_user); ;
    $password = '#####';
    
    $ldap_dn = "ldap.domain.com";
    $dn = "DC=domain,DC=com";
    
    
    
    $ldap_conn = ldap_connect($ldap_dn)
        or die("no ldap connection");   
    
    ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldap_conn, LDAP_OPT_REFERRALS, 0);
    
    if($bind = @ldap_bind($ldap_conn, $ldap_user, $password)) {
    
        $filter = "(sAMAccountName=" . $windows_user . ")";
        $attr = array("memberof","givenname","sn","mail");
        $result = ldap_search($ldap_conn, $dn, $filter, $attr) or exit("unable to search LDAP");
        $entries = ldap_get_entries($ldap_conn, $result);
        $firstname = $entries[0]['givenname'][0];
        $lastname = $entries[0]['sn'][0];
        $mail = $entries[0]['mail'][0];
        $group = $entries[0]['memberof'][0];
        echo ''.$lastname.', '.$firstname.'<br>';
        echo ''.$mail.'<br>';
        echo ''.$group.'<br>';
        ldap_unbind($ldap_conn);
    
        foreach($entries[0]['memberof'] as $grps) {
            if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }
            if (strpos($grps, $ldap_user_group)) $access = 1;
        }
    
        if ($access != 0) {
            $_SESSION['window_user'] = $windows_user;
            $_SESSION['access'] = $access;
            $_SESSION['givenname'] = $givenname;
            return true;
        } else {
            return false;
        }
    
    } else {
        return false;
    }
    
    
    ?>
    
    
    </body>
    </html>
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 求解答一道线性规划题,用lingo编程运行,第一问要求写出数学模型和lingo语言编程模型,第二问第三问解答就行,我的ddl要到了谁来求了
  • ¥50 树莓派安卓APK系统签名
  • ¥15 maple软件,用solve求反函数出现rootof,怎么办?
  • ¥65 汇编语言除法溢出问题
  • ¥15 Visual Studio问题
  • ¥20 求一个html代码,有偿
  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波