[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP: issues managing the password, what is wrong?

To: openldap-technical@openldap.org
Subject: Re: PHP: issues managing the password, what is wrong?
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 30 Sep 2009 07:32:42 +0200
In-reply-to: <3ffefd920909291751n6d428c54q2ee0ffa6d40036c7@mail.gmail.com> (Alberto Moreno's message of "Tue, 29 Sep 2009 17:51:08 -0700")
References: <3ffefd920909291751n6d428c54q2ee0ffa6d40036c7@mail.gmail.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Alberto Moreno <portsbsd@gmail.com> writes:

>   Hi people, I doing a web interface that will request a username +
> password, like squirrelmail i will contact my ldap server, this app
> will  run on Centos 5.3, php 5.3, this will be where my web pages will
> be, the ldap server is running on Gentoo with ldap 2.3.43.
>
>   My current problem is with the password, I have found small app that
> wants to compare the input of the password vs the ldap password this
> will let us identify the user.

This application is broken and raises a security issue. The proper way
is to do  a bind with the provided credentials. Furthermore you cannot
do a ldapcompare with hashed passwords.
[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E

References:
- PHP: issues managing the password, what is wrong?
  - From: Alberto Moreno <portsbsd@gmail.com>

Prev by Date: Re: can i bind real entry by alias ?
Next by Date: Re: PHP: issues managing the password, what is wrong?
Index(es):
- Chronological
- Thread