[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + MD5 + PHP != Work

Don't encrypt your $pw in your code.  When you send your plain pw across
to the LDAP server, the server "MD5's" (because it knows it's local
password is stored that way) it, and compares it against it's internal
MD5 store.  If that comparison matches, you win.  

When you send your "MD5'd" password, LDAP receives it, encodes it
*again* because it doesn't know you've already encoded it, and compares
it against the local hashed password.

Use TLS or a SASL mechanism instead of simple auth if you need to
protect the password.


On Tue, 2004-08-31 at 14:03, Steven Hildreth wrote:
> Hi, 
> Attempting to connect to an OpenLDAP server to authenticate a
> user, just want to see if the password the user passes is the stored
> password if true. I can get the LDAP connection to connect to the
> server, but unless I switch the LDAP server to use only clear I
> continually get a 'Invalid Credentials' error (passwords dont match).
> I am using LDAP MD5 to hash passwords on the server. If I take and
> echo out the password the routine below is using and compare it to the
> password on the server they match exactly?! Even if I include "{MD5}"
> at the front it still always gives me "Invalid Credentials".
> Here is an example of the code I am using to check the password:
> function CheckPassword($username,$password){
>  $dn = "uid=" . $username . ",ou=People,dc=<domain>,dc=net";
>  $pw = trim(base64_encode(pack("H*",md5($password))));
>  $ldapconn = ldap_connect("ldaps://<server_address>/") or die("Could
> not connect to LDAP server!");
>  if ($ldapconn) {
>          $ldapbind = ldap_bind($ldapconn,$dn,$pw);
>          if ($ldapbind) {
>                  return true;
>          }
>  }
> }
> I am using OpenLDAP v2.1.30 and PHP 4.3.8, for what its worth I am
> using Gentoo and my make flags include "ldap".
> Thanks for any pointers.
> Regards,
> Steven
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part