There is a demand: Users logged into the computer through a domain account, open the Web site (PHP developed), do not need users to enter the user name and password, but directly to the local domain account login system.
That is, the user account on the site and the local domain account is consistent, as long as I log on to the computer, I opened the browser login site, the site will not prompt users to enter the account and password login, directly login to the site
Can php implement this function? If not, is there any other technology that can support it? Like Java, Python, C and the like.
I also know that PHP has a ladp extension, but this extension still needs to receive the user name and password
Now some OA system realizes this kind of function, how to do it?
Reply content:
There is a demand: Users logged into the computer through a domain account, open the Web site (PHP developed), do not need users to enter the user name and password, but directly to the local domain account login system.
That is, the user account on the site and the local domain account is consistent, as long as I log on to the computer, I opened the browser login site, the site will not prompt users to enter the account and password login, directly login to the site
Can php implement this function? If not, is there any other technology that can support it? Like Java, Python, C and the like.
I also know that PHP has a ladp extension, but this extension still needs to receive the user name and password
Now some OA system realizes this kind of function, how to do it?
The LDAP extension, like the MySQL extension, essentially reads the user name and password from the backend storage system, except that it is extremely fast. Your question is key to the browser side, how to submit an ID to the server (instead of manually entering the user name and password).
This identification can be:
The random string in the URL (or the header is OK), this is the solution of the previous @johnlui. You can understand it as a session ID with a very long validity period. In some of the site's WAP version, is so dry, such as the previous kaixin001.com, because of that era of mobile browser cookies are often not reliable, and mobile phone privacy is better, so use this way.
$_server[' REMOTE_ADDR '], if your intranet IP is fixed, and the security requirements are not particularly high, you can use this way to temporarily top a top, take the client IP, go to the ip-employee corresponding table check the employee name, and then give this employee logged in status.
$_server[' remote_addr ' + LDAP log, or active Directory log. If your employees ' computers have to be logged in via a domain account, then, after taking the client IP, go to the Ldap/ad log to check which employees have just logged in from this IP. This method is much more secure than the above because he has already passed domain account verification when logging on to the operating system desktop.
b/S Architecture programming restrictions, you can only through $_get, $_post, $_server and other variables to the server side to submit identification (plainly, you bypass HTTP), and the browser JS permissions are very low, not in the browser to mount a point what, can do on the above three kinds of.
If you can decorate something, then there are more ways :
- Digital certificates. Employee initialization, the intranet server to give him an intranet certificate (that is, do not pay the money, not VeriSign they certified), the certificate is written to the employee account, mailbox and so on, each time access to the service side, the browser check the domain name matching will automatically send the certificate information to the server. This is used more in large enterprises, there is no need to develop browser plug-ins.
- Browser plugin. First use the plug-in to the desktop system of various identity information, and then attached to the header to the server, the server knows the current login domain account is what. Said before, the browser in the JS permissions is very low, the permissions of the plug-in is very high, the right to jump queue depends on your browser to what the user started. The need for your current login domain account is certainly more than enough.
I once answered a similar question on SF.
Very simple:
Generate a token, a combination of letters and numbers, make a link into a browser bookmark or home page, you can start the browser automatically open the homepage.
This method is simple, but requires the network to be secure, or, use HTTPS.
Install the browser extension. This is the perfect plan.
Users can log on the first time the domain account, account number, password to write a file, or into a table, the next time you log in, do a look at the judge
Write a browser, on the package.
You this is not PHP to do things, PHP is the server-side script, how to handle the browser thing?
Solution: Write Browser plugin