Menu
▾
▴
Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap
|
From: Bishop B. <ph...@id...> - 2010-06-01 19:04:27
|
Haven't looked at the LDAP code in a while, but question for the list: do we have some intel on the rationale for the double-bind design? That design strikes me as peculiar, so I'm concerned there is a technical reason it's needed... or perhaps was needed way back when but no more. And also, Arjen, can you clarify the rationale for switching to a single bind? Eg, what is the performance gain? (Or conversely, what's the performance hit on the server for double -- is O(n)? O(lg n)?) bishop Quoting Franky Van Liedekerke <lie...@te...>: > On Sat, 22 May 2010 15:36:54 +0200 > Arjen van Bochoven <boc...@fe...> wrote: > >> I would like to propose an enhancement for phpESP so that the ldap >> authentication can be used for sites that use Active Directory and >> don't want to add an extra user. >> >> The problem is that in the current setup, there are two binds taking >> place: >> >> - first bind is anonymous or authenticated with a fixed >> username/passwd >> - second bind is done with the user credentials >> >> For Active Directory (and other ldap implementations that don't allow >> anonymous binds) the first bind has to be authenticated. So in the >> current setup you have to specify the dn and password needed for this >> bind in the config file. >> >> Instead of this I would like this first bind to use the user >> credentials, so no additional setup is needed on the ldap server >> side. In order to have this work, in the config you could have >> something like: >> >> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com'; >> >> and in the auth functions you could use sprintf for substitution: >> >> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'], $username); >> $search_bind = @ldap_bind($ds, $bind_dn, >> $GLOBALS['ESPCONFIG']['ldap_bind_password']); >> >> I think it will take only a minor code change to make this work. >> Please comment on my proposal. >> > > Well, the proposal seems ok to me, but remember that not only the > username will need a sprintf statement, also the password will need to > be changed to the one the user provided. > And of course, this only works for one ldap subtree, users in another > subtree will not have access in this way. > Pleae open a feature request for this so it can be tracked. > > Franky > > ------------------------------------------------------------------------------ > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- Bishop Bettini ideacode, Inc. (main) +1 919 341 5170 / (fax) +1 919 521 4100 Visit us on the web at: ideacode.com Professional software research and development reviewmysoftware.com Improve sales! Review your software before you release bytejar.com Solutions to those annoying development problems |
