Thanks very much, Stig, very helpful! We are just scouting the technology
right now, so my more precise questions will come later ;) We will be using
SSL. Given that, it looks to me like "decision maker" mode is the way to go?


> -----Original Message-----
> From: Stig Venaas [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, October 31, 2001 3:06 AM
> To: Johnson, Kirk
> Cc: PHP General List
> Subject: Re: [PHP] User Authentication against remote authentication
> serve r [ LDAP ]
> On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
> > Thanks for the link, Kurt. Can you also point to any 
> authentication code
> > examples, or further discussion? The user comments in the 
> manual suggest
> > there are at least a couple ways to code stuff, 
> ldap_compare vs ldap_bind.
> > Any additional help appreciated.
> I might be able to help if you have some more precise questions, but
> basically there are two ways LDAP can be used. You can either use it
> as a data store or you can have LDAP make the authentication decision
> for you. If you want the user to supply username and password, the
> authentication can be done as follows:
> As data store:
> Hopefully the passwords are stored encrypted. Then there are two ways.
> If the password is stored encrypted with some unknown salt where the
> salt is stored together with the password (like the traditional UNIX
> way), your PHP script retrieves the encrypted password from LDAP,
> checks the salt, encrypts the user supplied password using the salt,
> and compare the two. If you don't use a salt you can encrypt the
> password from the user and just do an ldap_compare to check that it's
> the same as in the LDAP server. You get better security by 
> not allowing
> people to read the encrypted passwords from LDAP. To store passwords
> "encrypted" in LDAP, SHA1 might be a good choice, PHP has this.
> As decision maker:
> You can simply bind to the server on behalf of the user, you use the
> user supplied username and password as arguments to ldap_bind(). If
> the bind succeeds, you let the user access your stuff. In this case
> you should consider using SSL/TLS for talking to the server.
> There are other ways to authenticate with LDAP, RFC 2829 gives a good
> overview. You can find it at for instance
> I could go into more detail, but to write a complete general overview
> would be a lot of work. You might also have a look at a really short
> presentation I've made at
> Stig

PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to