On 14/12/05 3:18, Justin Alcorn <[EMAIL PROTECTED]> wrote: > > kent sent the following missive on 12/13/2005 9:42 PM: >> Hello, >> I am trying to get a handle on how to use Perl to compare passwords >> stored in LDAP that may be encrypted by different means such as MD5, >> SMD5, CRYPT etc. The passwords are stored in userPassword attribute. > > Using LDAP like a database, where you compare password hashes, really > isn't the correct way to use it.
You're correct. Google should be able to help you work out the various schemes are implemented (the only surprising thing is that many are pointlessly base64 encoded) but seriously do not bank on being able to read them back. > As a matter of fact, in some LDAP > implementations, including Active Directory, you can't even query the > userPassword attribute. If you're doing SASL authentication, the password might not even be something the server can return. There might not *be* a password. > To authenticate a user, you find out if you can bind to the LDAP server > using that username and password. Yes, this is absolutely the very best thing to do. You might need to do a search to convert your username value into the user's DN, but then you should do a bind() to get the server to compare the password. > To do it in other than clear text, you use LDAP over SSL by connecting > to ldaps:// To make it clear - this is *not* generally required by servers. > Also, there is a PHP LDAP library. It isn't as robust as perl-ldap by > any means, but for authenticating a user it works fine. Cheers, Chris
