On Mon, Oct 29, 2001 at 04:54:37PM -0700, Johnson, Kirk wrote: > Thanks for the link, Kurt. Can you also point to any authentication code > examples, or further discussion? The user comments in the manual suggest > there are at least a couple ways to code stuff, ldap_compare vs ldap_bind. > Any additional help appreciated.
I might be able to help if you have some more precise questions, but basically there are two ways LDAP can be used. You can either use it as a data store or you can have LDAP make the authentication decision for you. If you want the user to supply username and password, the authentication can be done as follows: As data store: Hopefully the passwords are stored encrypted. Then there are two ways. If the password is stored encrypted with some unknown salt where the salt is stored together with the password (like the traditional UNIX way), your PHP script retrieves the encrypted password from LDAP, checks the salt, encrypts the user supplied password using the salt, and compare the two. If you don't use a salt you can encrypt the password from the user and just do an ldap_compare to check that it's the same as in the LDAP server. You get better security by not allowing people to read the encrypted passwords from LDAP. To store passwords "encrypted" in LDAP, SHA1 might be a good choice, PHP has this. As decision maker: You can simply bind to the server on behalf of the user, you use the user supplied username and password as arguments to ldap_bind(). If the bind succeeds, you let the user access your stuff. In this case you should consider using SSL/TLS for talking to the server. There are other ways to authenticate with LDAP, RFC 2829 gives a good overview. You can find it at for instance http://www.ietf.org/rfc/rfc2829.txt I could go into more detail, but to write a complete general overview would be a lot of work. You might also have a look at a really short presentation I've made at http://www.uninett.no/info/seminar/gnomis/ldapauth.pdf Stig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
