RE: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Johnson, Kirk 

Thanks very much, Stig, very helpful! We are just scouting the technology
right now, so my more precise questions will come later ;) We will be using
SSL. Given that, it looks to me like "decision maker" mode is the way to go?

Kirk

> -Original Message-
> From: Stig Venaas [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, October 31, 2001 3:06 AM
> To: Johnson, Kirk
> Cc: PHP General List
> Subject: Re: [PHP] User Authentication against remote authentication
> serve r [ LDAP ]
> 
> 
> On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
> > Thanks for the link, Kurt. Can you also point to any 
> authentication code
> > examples, or further discussion? The user comments in the 
> manual suggest
> > there are at least a couple ways to code stuff, 
> ldap_compare vs ldap_bind.
> > Any additional help appreciated.
> 
> I might be able to help if you have some more precise questions, but
> basically there are two ways LDAP can be used. You can either use it
> as a data store or you can have LDAP make the authentication decision
> for you. If you want the user to supply username and password, the
> authentication can be done as follows:
> 
> As data store:
> 
> Hopefully the passwords are stored encrypted. Then there are two ways.
> If the password is stored encrypted with some unknown salt where the
> salt is stored together with the password (like the traditional UNIX
> way), your PHP script retrieves the encrypted password from LDAP,
> checks the salt, encrypts the user supplied password using the salt,
> and compare the two. If you don't use a salt you can encrypt the
> password from the user and just do an ldap_compare to check that it's
> the same as in the LDAP server. You get better security by 
> not allowing
> people to read the encrypted passwords from LDAP. To store passwords
> "encrypted" in LDAP, SHA1 might be a good choice, PHP has this.
> 
> As decision maker:
> 
> You can simply bind to the server on behalf of the user, you use the
> user supplied username and password as arguments to ldap_bind(). If
> the bind succeeds, you let the user access your stuff. In this case
> you should consider using SSL/TLS for talking to the server.
> 
> There are other ways to authenticate with LDAP, RFC 2829 gives a good
> overview. You can find it at for instance
> http://www.ietf.org/rfc/rfc2829.txt
> 
> I could go into more detail, but to write a complete general overview
> would be a lot of work. You might also have a look at a really short
> presentation I've made at
> http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf
> 
> Stig
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] User Authentication against remote authentication serve r [ LDAP ]

2001-10-31 Thread Stig Venaas 

On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote:
> Thanks for the link, Kurt. Can you also point to any authentication code
> examples, or further discussion? The user comments in the manual suggest
> there are at least a couple ways to code stuff, ldap_compare vs ldap_bind.
> Any additional help appreciated.

I might be able to help if you have some more precise questions, but
basically there are two ways LDAP can be used. You can either use it
as a data store or you can have LDAP make the authentication decision
for you. If you want the user to supply username and password, the
authentication can be done as follows:

As data store:

Hopefully the passwords are stored encrypted. Then there are two ways.
If the password is stored encrypted with some unknown salt where the
salt is stored together with the password (like the traditional UNIX
way), your PHP script retrieves the encrypted password from LDAP,
checks the salt, encrypts the user supplied password using the salt,
and compare the two. If you don't use a salt you can encrypt the
password from the user and just do an ldap_compare to check that it's
the same as in the LDAP server. You get better security by not allowing
people to read the encrypted passwords from LDAP. To store passwords
"encrypted" in LDAP, SHA1 might be a good choice, PHP has this.

As decision maker:

You can simply bind to the server on behalf of the user, you use the
user supplied username and password as arguments to ldap_bind(). If
the bind succeeds, you let the user access your stuff. In this case
you should consider using SSL/TLS for talking to the server.

There are other ways to authenticate with LDAP, RFC 2829 gives a good
overview. You can find it at for instance
http://www.ietf.org/rfc/rfc2829.txt

I could go into more detail, but to write a complete general overview
would be a lot of work. You might also have a look at a really short
presentation I've made at
http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf

Stig

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]