phpesp-devel

[phpesp-dev] LDAP authentication for Active Directory (and other ldap

[Arjen v. B. <boc...@fe...>]

I would like to propose an enhancement for phpESP so that the ldap authentication can be used for sites that use Active Directory and don't want to add an extra user.

The problem is that in the current setup, there are two binds taking place:

- first bind is anonymous or authenticated with a fixed username/passwd
- second bind is done with the user credentials

For Active Directory (and other ldap implementations that don't allow anonymous binds) the first bind has to be authenticated. So in the current setup you have to specify the dn and password needed for this bind in the config file.

Instead of this I would like this first bind to use the user credentials, so no additional setup is needed on the ldap server side. In order to have this work, in the config you could have something like:

$ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';

and in the auth functions you could use sprintf for substitution:

$bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'], $username);
$search_bind = @ldap_bind($ds, $bind_dn, $GLOBALS['ESPCONFIG']['ldap_bind_password']);

I think it will take only a minor code change to make this work. Please comment on my proposal.

grz

Arjen

Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

[Franky V. L. <lie...@te...>]

On Sat, 22 May 2010 15:36:54 +0200
Arjen van Bochoven <boc...@fe...> wrote:

> I would like to propose an enhancement for phpESP so that the ldap
> authentication can be used for sites that use Active Directory and
> don't want to add an extra user.
> 
> The problem is that in the current setup, there are two binds taking
> place:
> 
> - first bind is anonymous or authenticated with a fixed
> username/passwd
> - second bind is done with the user credentials
> 
> For Active Directory (and other ldap implementations that don't allow
> anonymous binds) the first bind has to be authenticated. So in the
> current setup you have to specify the dn and password needed for this
> bind in the config file.
> 
> Instead of this I would like this first bind to use the user
> credentials, so no additional setup is needed on the ldap server
> side. In order to have this work, in the config you could have
> something like:
> 
> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
> 
> and in the auth functions you could use sprintf for substitution:
> 
> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'], $username);
> $search_bind = @ldap_bind($ds, $bind_dn,
> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
> 
> I think it will take only a minor code change to make this work.
> Please comment on my proposal.
>

Well, the proposal seems ok to me, but remember that not only the
username will need a sprintf statement, also the password will need to
be changed to the one the user provided.
And of course, this only works for one ldap subtree, users in another
subtree will not have access in this way.
Pleae open a feature request for this so it can be tracked.

Franky

Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

[Bishop B. <ph...@id...>]

Haven't looked at the LDAP code in a while, but question for the list:  
do we have some intel on the rationale for the double-bind design?   
That design strikes me as peculiar, so I'm concerned there is a  
technical reason it's needed... or perhaps was needed way back when  
but no more.

And also, Arjen, can you clarify the rationale for switching to a  
single bind?  Eg, what is the performance gain?  (Or conversely,  
what's the performance hit on the server for double -- is O(n)?  O(lg  
n)?)

bishop

Quoting Franky Van Liedekerke <lie...@te...>:

> On Sat, 22 May 2010 15:36:54 +0200
> Arjen van Bochoven <boc...@fe...> wrote:
>
>> I would like to propose an enhancement for phpESP so that the ldap
>> authentication can be used for sites that use Active Directory and
>> don't want to add an extra user.
>>
>> The problem is that in the current setup, there are two binds taking
>> place:
>>
>> - first bind is anonymous or authenticated with a fixed
>> username/passwd
>> - second bind is done with the user credentials
>>
>> For Active Directory (and other ldap implementations that don't allow
>> anonymous binds) the first bind has to be authenticated. So in the
>> current setup you have to specify the dn and password needed for this
>> bind in the config file.
>>
>> Instead of this I would like this first bind to use the user
>> credentials, so no additional setup is needed on the ldap server
>> side. In order to have this work, in the config you could have
>> something like:
>>
>> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
>>
>> and in the auth functions you could use sprintf for substitution:
>>
>> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'], $username);
>> $search_bind = @ldap_bind($ds, $bind_dn,
>> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
>>
>> I think it will take only a minor code change to make this work.
>> Please comment on my proposal.
>>
>
> Well, the proposal seems ok to me, but remember that not only the
> username will need a sprintf statement, also the password will need to
> be changed to the one the user provided.
> And of course, this only works for one ldap subtree, users in another
> subtree will not have access in this way.
> Pleae open a feature request for this so it can be tracked.
>
> Franky
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>



-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems

Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

[Franky V. L. <lie...@te...>]

Hi,

the double bind is needed most of the times:

- the user gives his username and password. Then the first bind happens
  with the search DN (not the user DN) in order to find the user DN
- then the second bind happens with the found user DN and his password

If the user DN can be constructed via the uid (eg. the rest of the DN
is always known), you can avoid the first bind of course. This is what
Arjen is thinking about :-)

Franky

On Tue, 01 Jun 2010 14:35:26 -0400
Bishop Bettini <ph...@id...> wrote:

> Haven't looked at the LDAP code in a while, but question for the
> list: do we have some intel on the rationale for the double-bind
> design? That design strikes me as peculiar, so I'm concerned there is
> a technical reason it's needed... or perhaps was needed way back
> when but no more.
> 
> And also, Arjen, can you clarify the rationale for switching to a  
> single bind?  Eg, what is the performance gain?  (Or conversely,  
> what's the performance hit on the server for double -- is O(n)?
> O(lg n)?)
> 
> bishop
> 
> Quoting Franky Van Liedekerke <lie...@te...>:
> 
> > On Sat, 22 May 2010 15:36:54 +0200
> > Arjen van Bochoven <boc...@fe...> wrote:
> >
> >> I would like to propose an enhancement for phpESP so that the ldap
> >> authentication can be used for sites that use Active Directory and
> >> don't want to add an extra user.
> >>
> >> The problem is that in the current setup, there are two binds
> >> taking place:
> >>
> >> - first bind is anonymous or authenticated with a fixed
> >> username/passwd
> >> - second bind is done with the user credentials
> >>
> >> For Active Directory (and other ldap implementations that don't
> >> allow anonymous binds) the first bind has to be authenticated. So
> >> in the current setup you have to specify the dn and password
> >> needed for this bind in the config file.
> >>
> >> Instead of this I would like this first bind to use the user
> >> credentials, so no additional setup is needed on the ldap server
> >> side. In order to have this work, in the config you could have
> >> something like:
> >>
> >> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
> >>
> >> and in the auth functions you could use sprintf for substitution:
> >>
> >> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'],
> >> $username); $search_bind = @ldap_bind($ds, $bind_dn,
> >> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
> >>
> >> I think it will take only a minor code change to make this work.
> >> Please comment on my proposal.
> >>
> >
> > Well, the proposal seems ok to me, but remember that not only the
> > username will need a sprintf statement, also the password will need
> > to be changed to the one the user provided.
> > And of course, this only works for one ldap subtree, users in
> > another subtree will not have access in this way.
> > Pleae open a feature request for this so it can be tracked.
> >
> > Franky
> >
> > ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
> 
> 
> 

Re: [phpesp-dev] LDAP authentication for Active Directory (and other ldap

[Bishop B. <ph...@id...>]

Ah, I see -- the proposal is to add a special case.  Seems reasonable  
to me.  Open a ticket and let's get it done. :)

bishop

Quoting Franky Van Liedekerke <lie...@te...>:

> Hi,
>
> the double bind is needed most of the times:
>
> - the user gives his username and password. Then the first bind happens
>   with the search DN (not the user DN) in order to find the user DN
> - then the second bind happens with the found user DN and his password
>
> If the user DN can be constructed via the uid (eg. the rest of the DN
> is always known), you can avoid the first bind of course. This is what
> Arjen is thinking about :-)
>
> Franky
>
> On Tue, 01 Jun 2010 14:35:26 -0400
> Bishop Bettini <ph...@id...> wrote:
>
>> Haven't looked at the LDAP code in a while, but question for the
>> list: do we have some intel on the rationale for the double-bind
>> design? That design strikes me as peculiar, so I'm concerned there is
>> a technical reason it's needed... or perhaps was needed way back
>> when but no more.
>>
>> And also, Arjen, can you clarify the rationale for switching to a
>> single bind?  Eg, what is the performance gain?  (Or conversely,
>> what's the performance hit on the server for double -- is O(n)?
>> O(lg n)?)
>>
>> bishop
>>
>> Quoting Franky Van Liedekerke <lie...@te...>:
>>
>> > On Sat, 22 May 2010 15:36:54 +0200
>> > Arjen van Bochoven <boc...@fe...> wrote:
>> >
>> >> I would like to propose an enhancement for phpESP so that the ldap
>> >> authentication can be used for sites that use Active Directory and
>> >> don't want to add an extra user.
>> >>
>> >> The problem is that in the current setup, there are two binds
>> >> taking place:
>> >>
>> >> - first bind is anonymous or authenticated with a fixed
>> >> username/passwd
>> >> - second bind is done with the user credentials
>> >>
>> >> For Active Directory (and other ldap implementations that don't
>> >> allow anonymous binds) the first bind has to be authenticated. So
>> >> in the current setup you have to specify the dn and password
>> >> needed for this bind in the config file.
>> >>
>> >> Instead of this I would like this first bind to use the user
>> >> credentials, so no additional setup is needed on the ldap server
>> >> side. In order to have this work, in the config you could have
>> >> something like:
>> >>
>> >> $ESPCONFIG['ldap_bind_dn'] = 'uid=%s, dc=example, dc=com';
>> >>
>> >> and in the auth functions you could use sprintf for substitution:
>> >>
>> >> $bind_dn = sprint_f($GLOBALS['ESPCONFIG']['ldap_bind_dn'],
>> >> $username); $search_bind = @ldap_bind($ds, $bind_dn,
>> >> $GLOBALS['ESPCONFIG']['ldap_bind_password']);
>> >>
>> >> I think it will take only a minor code change to make this work.
>> >> Please comment on my proposal.
>> >>
>> >
>> > Well, the proposal seems ok to me, but remember that not only the
>> > username will need a sprintf statement, also the password will need
>> > to be changed to the one the user provided.
>> > And of course, this only works for one ldap subtree, users in
>> > another subtree will not have access in this way.
>> > Pleae open a feature request for this so it can be tracked.
>> >
>> > Franky
>> >
>> >   
>> ------------------------------------------------------------------------------
>> >
>> > _______________________________________________
>> > phpESP-devel mailing list
>> > php...@li...
>> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>> >
>>
>>
>>
>



-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems