#17 CT_LDAP needs modification

open
nobody
None
5
2003-06-24
2003-06-24
Anonymous
No

I have been looking into methods for LDAP authentication
and wanted to check an opinion I have formed.

The way in which phpLib7.4pre2 checks user authentication
in CT_LDAP is somewhere between wierd and useless. From
what I can read in the source you can not authenticate
"normal" LDAP users. Instead phpLib wants its own
attributes for username and password (instead of using the
DN for userID and so on.)

I would prefer a method that looks for a DN (which is
allways unique) and then tries to bind to the server with that
DN and the provided password. This is the way that
mod_auth in apache handles the password check and is
more comaptible.

What are the reasons for the implementation in phpLib and
what are the plans for the future? In php4 you could have
the whole page managment without an sql backend which is
cool.

Or, I could just be way off and I am mistaking totally?

Discussion

  • Logged In: NO

    Binding authentication added directly to "Example_Auth"
    auth_validatelogin() in local.inc.

    // connect...
    $ds=ldap_connect($this->ldap_host, $this->ldap_port);// or
    echo "Error Connecting to LDAP server...";

    if ($ds) {
    // admin bind...
    $r=ldap_bind($ds, $this->rootdn, $this->rootpw);// or
    echo "Error Binding to LDAP server...";
    // search for uname...
    $sr=ldap_search($ds,$this->basedn, $this-
    >attr_uname."=".addslashes($HTTP_POST_VARS["username"]) );
    // get matching entries (should only be one)
    $info = ldap_get_entries($ds, $sr);

    // test all results, and get uid and permissions...
    for ($i=0; $i<$info["count"]; $i++) {
    // bind as user to test password
    $r=@ldap_bind($ds, $info[$i]["dn"],
    addslashes($HTTP_POST_VARS["password"]) );
    // if bind is successful...
    if ($r) {
    // fetch UID and perms
    $uid = md5($info[$i]["dn"]);
    $this->auth["perm"] = $info[$i][$this-
    >attr_perms][0];
    }
    }

    }
    ldap_close($ds);
    return $uid;
    }