Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

the double bind is needed most of the times:

- the user gives his username and password. Then the first bind happens
  with the search DN (not the user DN) in order to find the user DN
- then the second bind happens with the found user DN and his password

If the user DN can be constructed via the uid (eg. the rest of the DN
is always known), you can avoid the first bind of course. This is what
Arjen is thinking about :-)

Franky

On Tue, 01 Jun 2010 14:35:26 -0400
Bishop Bettini <ph...@id...> wrote:

> Haven't looked at the LDAP code in a while, but question for the
> list: do we have some intel on the rationale for the double-bind
> design? That design strikes me as peculiar, so I'm concerned there is
> a technical reason it's needed... or perhaps was needed way back
> when but no more.
> 
> And also, Arjen, can you clarify the rationale for switching to a  
> single bind?  Eg, what is the performance gain?  (Or conversely,  
> what's the performance hit on the server for double -- is O(n)?
> O(lg n)?)
> 
> bishop
> 
> Quoting Franky Van Liedekerke <lie...@te...>:
> 
> > On Sat, 22 May 2010 15:36:54 +0200
> > Arjen van Bochoven <boc...@fe...> wrote:
> >
> >> I would like to propose an enhancement for phpESP so that the ldap
> >> authentication can be used for sites that use Active Directory and
> >> don't want to add an extra user.
> >>
> >> The problem is that in the current setup, there are two binds
> >> taking place:
> >>
> >> - first bind is anonymous or authenticated with a fixed
> >> username/passwd
> >> - second bind is done with the user credentials
> >>
> >> For Active Directory (and other ldap implementations that don't
> >> allow anonymous binds) the first bind has to be authenticated. So
> >> in the current setup you have to specify the dn and password
> >> needed for this bind in the config file.
> >>
> >> Instead of this I would like this first bind to use the user
> >> credentials, so no additional setup is needed on the ldap server
> >> side. In order to have this work, in the config you could have
> >> something like:
> >>
> >> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
> >>
> >> and in the auth functions you could use sprintf for substitution:
> >>
> >> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'],
> >> $username); $search_bind = @ldap_bind($ds, $bind_dn,
> >> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
> >>
> >> I think it will take only a minor code change to make this work.
> >> Please comment on my proposal.
> >>
> >
> > Well, the proposal seems ok to me, but remember that not only the
> > username will need a sprintf statement, also the password will need
> > to be changed to the one the user provided.
> > And of course, this only works for one ldap subtree, users in
> > another subtree will not have access in this way.
> > Pleae open a feature request for this so it can be tracked.
> >
> > Franky
> >
> > ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
> 
> 
> 