下面检查这code反对LDAP用户的凭证

This code below checks for the user's credentials against ldap

<?php
$ldaphost = "ldap.domain.com";
$ldapport = 389;

$ds = ldap_connect($ldaphost, $ldapport)
or die("Could not connect to $ldaphost");

if ($ds) 
{
    $username = "johndoe@domain.com";
    $upasswd = "pass";

    $ldapbind = ldap_bind($ds, $username, $upasswd);

    if ($ldapbind) 
        {print "Congratulations! $username is authenticated.";}
    else 
        {print "Access Denied!";}
}
?>

我的用户使用Firefox和IE浏览器，我知道可以通过他们的ActiveDirectory凭据的无缝连接。

My users use Firefox and IE, and I know that can pass their ActiveDirectory credentials seamlessly.

我只是想检查AD组，看看是否该用户名是在那里发现，如果是的话，显示此页面，否则提示凭证进入。

I just want to check the AD group to see if that username is found in there, if so, display the page, otherwise prompt to enter in credentials.

由于我们的用户已经登录到域控制器，我想抓住自己的用户名，检查，看它是否被发现在特定的组，然后让他们在，否则，提示用户输入凭据。这怎么可能？

Since our users are already logged into the domain controller, I want to grab their username, check to see if it was found in the specific group, then let them in, otherwise prompt user to input credentials. How is this possible?

推荐答案

您其实并不需要从你的PP code中的Active Directory服务器进行通信，以达到你想要给你使用IIS的事实是什么你Web服务器。

You actually do not need to communicate with the Active Directory server from your PP code to achieve what you want given the fact that you use IIS as your web server.

这里的关键词是的集成Windows身份验证的 - 这是措辞DJN looked为。如果此选项打开（和匿名访问被拒绝），IIS将检查对Active Directory和所要求的资源的NTFS文件系统权限所提供的凭证。因此，您可以控制​​访问使用简单的NTFS访问控制机制的文件。

The key word here is Integrated Windows Authentication - that's the wording djn looked for. If this option is turned on (and anonymous access is denied) IIS will check the supplied credentials against the Active Directory and the NTFS filesystem privileges of the requested resources. You can therefore control access to your files using simple NTFS access control mechanisms.

如果您的用户使用IE浏览器，他们甚至没有在键入他们的凭据，因为这是通过所谓的 SPNEGO （简单和受保护GSSAPI协商机制）和它的底层机制的Kerberos 或的