[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP: issues managing the password, what is wrong?

Alberto Moreno <portsbsd@gmail.com> writes:

>   Hi people, I doing a web interface that will request a username +
> password, like squirrelmail i will contact my ldap server, this app
> will  run on Centos 5.3, php 5.3, this will be where my web pages will
> be, the ldap server is running on Gentoo with ldap 2.3.43.
>   My current problem is with the password, I have found small app that
> wants to compare the input of the password vs the ldap password this
> will let us identify the user.

This application is broken and raises a security issue. The proper way
is to do  a bind with the provided credentials. Furthermore you cannot
do a ldapcompare with hashed passwords.


Dieter Klünter | Systemberatung