Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ah, I see -- the proposal is to add a special case.  Seems reasonable  
to me.  Open a ticket and let's get it done. :)

bishop

Quoting Franky Van Liedekerke <lie...@te...>:

> Hi,
>
> the double bind is needed most of the times:
>
> - the user gives his username and password. Then the first bind happens
>   with the search DN (not the user DN) in order to find the user DN
> - then the second bind happens with the found user DN and his password
>
> If the user DN can be constructed via the uid (eg. the rest of the DN
> is always known), you can avoid the first bind of course. This is what
> Arjen is thinking about :-)
>
> Franky
>
> On Tue, 01 Jun 2010 14:35:26 -0400
> Bishop Bettini <ph...@id...> wrote:
>
>> Haven't looked at the LDAP code in a while, but question for the
>> list: do we have some intel on the rationale for the double-bind
>> design? That design strikes me as peculiar, so I'm concerned there is
>> a technical reason it's needed... or perhaps was needed way back
>> when but no more.
>>
>> And also, Arjen, can you clarify the rationale for switching to a
>> single bind?  Eg, what is the performance gain?  (Or conversely,
>> what's the performance hit on the server for double -- is O(n)?
>> O(lg n)?)
>>
>> bishop
>>
>> Quoting Franky Van Liedekerke <lie...@te...>:
>>
>> > On Sat, 22 May 2010 15:36:54 +0200
>> > Arjen van Bochoven <boc...@fe...> wrote:
>> >
>> >> I would like to propose an enhancement for phpESP so that the ldap
>> >> authentication can be used for sites that use Active Directory and
>> >> don't want to add an extra user.
>> >>
>> >> The problem is that in the current setup, there are two binds
>> >> taking place:
>> >>
>> >> - first bind is anonymous or authenticated with a fixed
>> >> username/passwd
>> >> - second bind is done with the user credentials
>> >>
>> >> For Active Directory (and other ldap implementations that don't
>> >> allow anonymous binds) the first bind has to be authenticated. So
>> >> in the current setup you have to specify the dn and password
>> >> needed for this bind in the config file.
>> >>
>> >> Instead of this I would like this first bind to use the user
>> >> credentials, so no additional setup is needed on the ldap server
>> >> side. In order to have this work, in the config you could have
>> >> something like:
>> >>
>> >> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
>> >>
>> >> and in the auth functions you could use sprintf for substitution:
>> >>
>> >> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'],
>> >> $username); $search_bind = @ldap_bind($ds, $bind_dn,
>> >> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
>> >>
>> >> I think it will take only a minor code change to make this work.
>> >> Please comment on my proposal.
>> >>
>> >
>> > Well, the proposal seems ok to me, but remember that not only the
>> > username will need a sprintf statement, also the password will need
>> > to be changed to the one the user provided.
>> > And of course, this only works for one ldap subtree, users in
>> > another subtree will not have access in this way.
>> > Pleae open a feature request for this so it can be tracked.
>> >
>> > Franky
>> >
>> >   
>> ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > phpESP-devel mailing list
>> > php...@li...
>> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>> >
>>
>>
>>
>

-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems