On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
> Thanks for the link, Kurt. Can you also point to any authentication code
> examples, or further discussion? The user comments in the manual suggest
> there are at least a couple ways to code stuff, ldap_compare vs ldap_bind.
> Any additional help appreciated.
I might be able to help if you have some more precise questions, but
basically there are two ways LDAP can be used. You can either use it
as a data store or you can have LDAP make the authentication decision
for you. If you want the user to supply username and password, the
authentication can be done as follows:
As data store:
Hopefully the passwords are stored encrypted. Then there are two ways.
If the password is stored encrypted with some unknown salt where the
salt is stored together with the password (like the traditional UNIX
way), your PHP script retrieves the encrypted password from LDAP,
checks the salt, encrypts the user supplied password using the salt,
and compare the two. If you don't use a salt you can encrypt the
password from the user and just do an ldap_compare to check that it's
the same as in the LDAP server. You get better security by not allowing
people to read the encrypted passwords from LDAP. To store passwords
"encrypted" in LDAP, SHA1 might be a good choice, PHP has this.
As decision maker:
You can simply bind to the server on behalf of the user, you use the
user supplied username and password as arguments to ldap_bind(). If
the bind succeeds, you let the user access your stuff. In this case
you should consider using SSL/TLS for talking to the server.
There are other ways to authenticate with LDAP, RFC 2829 gives a good
overview. You can find it at for instance
I could go into more detail, but to write a complete general overview
would be a lot of work. You might also have a look at a really short
presentation I've made at
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]