Re: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Stig Venaas 

On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
 Thanks for the link, Kurt. Can you also point to any authentication code
 examples, or further discussion? The user comments in the manual suggest
 there are at least a couple ways to code stuff, ldap_compare vs ldap_bind.
 Any additional help appreciated.

I might be able to help if you have some more precise questions, but
basically there are two ways LDAP can be used. You can either use it
as a data store or you can have LDAP make the authentication decision
for you. If you want the user to supply username and password, the
authentication can be done as follows:

As data store:

Hopefully the passwords are stored encrypted. Then there are two ways.
If the password is stored encrypted with some unknown salt where the
salt is stored together with the password (like the traditional UNIX
way), your PHP script retrieves the encrypted password from LDAP,
checks the salt, encrypts the user supplied password using the salt,
and compare the two. If you don't use a salt you can encrypt the
password from the user and just do an ldap_compare to check that it's
the same as in the LDAP server. You get better security by not allowing
people to read the encrypted passwords from LDAP. To store passwords
encrypted in LDAP, SHA1 might be a good choice, PHP has this.

As decision maker:

You can simply bind to the server on behalf of the user, you use the
user supplied username and password as arguments to ldap_bind(). If
the bind succeeds, you let the user access your stuff. In this case
you should consider using SSL/TLS for talking to the server.

There are other ways to authenticate with LDAP, RFC 2829 gives a good
overview. You can find it at for instance
http://www.ietf.org/rfc/rfc2829.txt

I could go into more detail, but to write a complete general overview
would be a lot of work. You might also have a look at a really short
presentation I've made at
http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf

Stig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Johnson, Kirk 

Thanks very much, Stig, very helpful! We are just scouting the technology
right now, so my more precise questions will come later ;) We will be using
SSL. Given that, it looks to me like decision maker mode is the way to go?

Kirk

 -Original Message-
 From: Stig Venaas [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 31, 2001 3:06 AM
 To: Johnson, Kirk
 Cc: PHP General List
 Subject: Re: [PHP] User Authentication against remote authentication
 serve r [ LDAP ]
 
 
 On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
  Thanks for the link, Kurt. Can you also point to any 
 authentication code
  examples, or further discussion? The user comments in the 
 manual suggest
  there are at least a couple ways to code stuff, 
 ldap_compare vs ldap_bind.
  Any additional help appreciated.
 
 I might be able to help if you have some more precise questions, but
 basically there are two ways LDAP can be used. You can either use it
 as a data store or you can have LDAP make the authentication decision
 for you. If you want the user to supply username and password, the
 authentication can be done as follows:
 
 As data store:
 
 Hopefully the passwords are stored encrypted. Then there are two ways.
 If the password is stored encrypted with some unknown salt where the
 salt is stored together with the password (like the traditional UNIX
 way), your PHP script retrieves the encrypted password from LDAP,
 checks the salt, encrypts the user supplied password using the salt,
 and compare the two. If you don't use a salt you can encrypt the
 password from the user and just do an ldap_compare to check that it's
 the same as in the LDAP server. You get better security by 
 not allowing
 people to read the encrypted passwords from LDAP. To store passwords
 encrypted in LDAP, SHA1 might be a good choice, PHP has this.
 
 As decision maker:
 
 You can simply bind to the server on behalf of the user, you use the
 user supplied username and password as arguments to ldap_bind(). If
 the bind succeeds, you let the user access your stuff. In this case
 you should consider using SSL/TLS for talking to the server.
 
 There are other ways to authenticate with LDAP, RFC 2829 gives a good
 overview. You can find it at for instance
 http://www.ietf.org/rfc/rfc2829.txt
 
 I could go into more detail, but to write a complete general overview
 would be a lot of work. You might also have a look at a really short
 presentation I've made at
 http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf
 
 Stig
 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]