[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP authentication with encrypted password



A trick that I used to use when authenticating users to a mysql database
is so:

They login to the webpage via their password: password

This is then run through the php md5 function and store that as a session
variable.

The session password would be: 5f4dcc3b5aa765d61d8327deb882cf99

In ldap you store that mess however you'd like.  Using the ldap md5
password method would probably be nice enough.

This has a couple of benefits, but is really only, imho, a psuedo-security
method.  Better than logging in cleartext all the time though.

pwilson

> Hi list,
>
> I needed help in programming PHP authenticating to
> OpenLDAP server.
>
> Currently, I'm passing the cleartext password to
> ldap_bind() and it works ok.  However, since I'm going
> to use session, I don't want to keep the password in
> the session as cleartext in order for PHP to
> authenticate again to OpenLDAP.
>
> I was thinking of hashing the password with md5 before
> saving it in the session.  However, ldap_bind() does
> not accept encrypted password (I think because the
> ldap API will hash the cleartext password and compare
> it with the one in the LDAP database).
>
> Reading the mailing list archive, seems that this
> method is not possible.  Has anyone find a way to
> circumvent this?
>
> Thank you.
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com