Thanks very much, Stig, very helpful! We are just scouting the technology right now, so my more precise questions will come later ;) We will be using SSL. Given that, it looks to me like "decision maker" mode is the way to go?
Kirk > -----Original Message----- > From: Stig Venaas [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 31, 2001 3:06 AM > To: Johnson, Kirk > Cc: PHP General List > Subject: Re: [PHP] User Authentication against remote authentication > serve r [ LDAP ] > > > On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote: > > Thanks for the link, Kurt. Can you also point to any > authentication code > > examples, or further discussion? The user comments in the > manual suggest > > there are at least a couple ways to code stuff, > ldap_compare vs ldap_bind. > > Any additional help appreciated. > > I might be able to help if you have some more precise questions, but > basically there are two ways LDAP can be used. You can either use it > as a data store or you can have LDAP make the authentication decision > for you. If you want the user to supply username and password, the > authentication can be done as follows: > > As data store: > > Hopefully the passwords are stored encrypted. Then there are two ways. > If the password is stored encrypted with some unknown salt where the > salt is stored together with the password (like the traditional UNIX > way), your PHP script retrieves the encrypted password from LDAP, > checks the salt, encrypts the user supplied password using the salt, > and compare the two. If you don't use a salt you can encrypt the > password from the user and just do an ldap_compare to check that it's > the same as in the LDAP server. You get better security by > not allowing > people to read the encrypted passwords from LDAP. To store passwords > "encrypted" in LDAP, SHA1 might be a good choice, PHP has this. > > As decision maker: > > You can simply bind to the server on behalf of the user, you use the > user supplied username and password as arguments to ldap_bind(). If > the bind succeeds, you let the user access your stuff. In this case > you should consider using SSL/TLS for talking to the server. > > There are other ways to authenticate with LDAP, RFC 2829 gives a good > overview. You can find it at for instance > http://www.ietf.org/rfc/rfc2829.txt > > I could go into more detail, but to write a complete general overview > would be a lot of work. You might also have a look at a really short > presentation I've made at > http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf > > Stig > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]