[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + MD5 + PHP != Work

To: openldap-software@OpenLDAP.org
Subject: Re: OpenLDAP + MD5 + PHP != Work
From: Ramon Amat <ramon.amat@amat-sc.ch>
Date: Wed, 01 Sep 2004 06:59:34 +0200
In-reply-to: <9d80acae040831110351b02f4a@mail.gmail.com>
References: <9d80acae040831110351b02f4a@mail.gmail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

Steven Hildreth wrote:

Hi,

Attempting to connect to an OpenLDAP server to authenticate a
user, just want to see if the password the user passes is the stored
password if true. I can get the LDAP connection to connect to the
server, but unless I switch the LDAP server to use only clear I
continually get a 'Invalid Credentials' error (passwords dont match).
I am using LDAP MD5 to hash passwords on the server. If I take and
echo out the password the routine below is using and compare it to the
password on the server they match exactly?! Even if I include "{MD5}"
at the front it still always gives me "Invalid Credentials".

Here is an example of the code I am using to check the password:

function CheckPassword($username,$password){
$dn = "uid=" . $username . ",ou=People,dc=<domain>,dc=net";
$pw = trim(base64_encode(pack("H*",md5($password))));

$ldapconn = ldap_connect("ldaps://<server_address>/") or die("Could
not connect to LDAP server!");

if ($ldapconn) {
        $ldapbind = ldap_bind($ldapconn,$dn,$pw);
        if ($ldapbind) {
                return true;
        }
}
}

I am using OpenLDAP v2.1.30 and PHP 4.3.8, for what its worth I am
using Gentoo and my make flags include "ldap".

Thanks for any pointers.

If you let your users authenticate with

	 dn="uid=".$username.",ou=People,dc=<domain>,dc=net";
        userPassword=

and you have anattribute called userPassword within the same entry then LDAP does all for you. Instead of using MD5 you could also use something as ssha. You will need mhash library on your machine or just type mhash in php.net and you will find the link

function hashPassword($password) { mt_srand((double) microtime()*1000000); $salt=mhash_keygen_s2k(MHASH_SHA1,$password,substr(pack("h*",md5(mt_rand())),0,8),4); $passsword = "{ssha}".base64_encode(mhash(MHASH_SHA1, $password.$salt).$salt); return "{ssha}".base64_encode(mhash(MHASH_SHA1, $password.$salt).$salt); }

Sie können mit ramon.amat@amat-sc.ch S/MIME verschlüsselte E-Mail Nachrichten austauschen. Den öffentlichen Schlüssel von ramon.amat@amat-sc.ch, können Sie über https://www.uniqmail.ch/pub/index.php?page=pv_digital_id&mail=ramon.amat@amat-sc.ch beziehen. Wenn Sie möchten, dass an Sie gerichtete E-Mails verschlüsselt werden, dann senden Sie einfach eine S/MIME signierte E-Mail Nachricht.

Next by Date: Re: tcp connection time out
Index(es):
- Chronological
- Thread