Menu
▾
▴
Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap
|
From: Franky V. L. <lie...@te...> - 2010-05-23 07:44:38
|
On Sat, 22 May 2010 15:36:54 +0200 Arjen van Bochoven <boc...@fe...> wrote: > I would like to propose an enhancement for phpESP so that the ldap > authentication can be used for sites that use Active Directory and > don't want to add an extra user. > > The problem is that in the current setup, there are two binds taking > place: > > - first bind is anonymous or authenticated with a fixed > username/passwd > - second bind is done with the user credentials > > For Active Directory (and other ldap implementations that don't allow > anonymous binds) the first bind has to be authenticated. So in the > current setup you have to specify the dn and password needed for this > bind in the config file. > > Instead of this I would like this first bind to use the user > credentials, so no additional setup is needed on the ldap server > side. In order to have this work, in the config you could have > something like: > > $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com'; > > and in the auth functions you could use sprintf for substitution: > > $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'], $username); > $search_bind = @ldap_bind($ds, $bind_dn, > $GLOBALS['ESPCONFIG']['ldap_bind_password']); > > I think it will take only a minor code change to make this work. > Please comment on my proposal. > Well, the proposal seems ok to me, but remember that not only the username will need a sprintf statement, also the password will need to be changed to the one the user provided. And of course, this only works for one ldap subtree, users in another subtree will not have access in this way. Pleae open a feature request for this so it can be tracked. Franky |
