[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Encrypted Passwords

To: tgagne@efinnet.com
Subject: Re: Encrypted Passwords
From: Kervin Pierre <kpierre@fit.edu>
Date: Sat, 17 Nov 2001 17:14:28 -0500
Cc: openldap list <openldap-software@OpenLDAP.org>
References: <3BF52830.64D1F1C0@ameritech.net> <20011116101304.C32266@usa.net> <3BF53808.BECA4955@ix.netcom.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2

Don't know if this is what you're trying to do but have you seen this? HTTP Auth login using LDAP

http://www.rudedog.org/auth_ldap/#intro

Otherwise if you don't want to use an the apache module, you can try to bind to the LDAP server using the password the user gave you. If the bind was successful, then the password was correct.

Below is PHP code that authenticates a user HTTP basic and LDAP. The code is an include that is called by include_once() on every page. The code *seems* to work correctly but has not been throughly tested as yet.

Hope this helps
-Kervin


Thomas Gagne wrote:

When you do basic authentication on a web server, the password arrives in the
CGI script encrypted.  I was wondering if this encrypted password could be
passed to an LDAP server, and your response suggests it cannot (should not).
That's fine.  We'll just write a quick login screen that gets both
username/password so we can have the password in cleartext on the server to
pass to LDAP.  Since we're doing this over an https session they won't be
cleartext on the wire.

Thanks.

--
.tom

Access denied!
Main Menu.
"; UM_log("

UNAUTHORIZED USER: '$PHP_AUTH_USER'.
"); UM_log("HOST LOGGED: "); if(getenv(HTTP_X_FORWARDED_FOR)) UM_log(getenv(HTTP_X_FORWARDED_FOR)); if(getenv(REMOTE_ADDR)) UM_log(getenv(REMOTE_ADDR)); echo "

This session has been logged.
"; UM_common_footer(""); $REMOTE_USER = ""; $REMOTE_PASSWORD = ""; $PHP_AUTH_USER = ""; $PHP_AUTH_PW = ""; exit(); } if ( !isset($PHP_AUTH_USER) || $PHP_AUTH_USER == "" || $PHP_AUTH_PW == "" ) { authenticate_user(); } else { if(!isset($UM_site_auth) || $UM_site_auth == "LDAP") { //Connect to validate user password if(!($conn = @ldap_connect($UM_site_auth_ldap_host))) @UM_exit_error("Unable to connect to the LDAP server."); $dn="uid=".$PHP_AUTH_USER.",".$UM_site_auth_ldap_manager_base; if( @ldap_bind($conn, $dn, "$PHP_AUTH_PW") != TRUE) authenticate_user(); ldap_unbind($conn); //Connect, this time to validate user group if(!($conn = @ldap_connect($UM_site_auth_ldap_host))) @UM_exit_error("Unable to connect to the LDAP server."); if(@ldap_bind($conn, $UM_site_auth_ldap_proxy_agent_dn, "$UM_site_auth_ldap_proxy_agent_pass") != TRUE ) UM_exit_error("ERROR while connecting to the ldap server"); //find the manager group gidnumber //FIXME: This function desperately needs more logging and error handling/reporting. $justthese = array("gidnumber"); $res = @ldap_list($conn, $UM_site_auth_ldap_manager_group_base, "cn=$UM_manager_group", $justthese); $res_array1 = @ldap_get_entries($conn, $res); if($res_array1["count"]==0) UM_log("Could not determine gidnumber for $UM_manager_group"); $filter1 = "(&(uid=$PHP_AUTH_USER)(gid=".$res_array1[0]["gidnumber"][0]."))"; $filter2 = "(&(cn=$UM_manager_group)(memberuid=$PHP_AUTH_USER))"; $res = @ldap_list($conn, $UM_site_auth_ldap_manager_base, $filter1); $res_array1 = @ldap_get_entries($conn, $res); $res2 = @ldap_list($conn, $UM_site_auth_ldap_manager_group_base, $filter2); $res_array2 = @ldap_get_entries($conn, $res2); @ldap_unbind($conn); if( $res_array1["count"] != 1 && $res_array2["count"] != 1 ) authenticate_user(); } } ?>

References:
- Encrypted Passwords
  - From: Thomas Gagne <tgagne@ameritech.net>
- Re: Encrypted Passwords
  - From: Peter W <peterw@usa.net>
- Re: Encrypted Passwords
  - From: Thomas Gagne <tgagne@ix.netcom.com>

Prev by Date: Re: Back-sql and reserved words
Next by Date: ACL question
Index(es):
- Chronological
- Thread