LDAP password auth

Topics brought up by the TimeTrex open source community.
Post Reply
pribis
Posts: 86
Joined: Mon Apr 19, 2010 10:33 am

LDAP password auth

Post by pribis »

Hi,

I've written before about this and kind of dropped it. Now I have to pick it up again because in a company that uses a bunch of different software solutions, being able to change all of the passwords from one spot is suddenly important. TimeTrex allows for LDAP auth. But only SSL, not TLS. TimeTrex is using the adodb php library by john lim. And for some strange reason he doesn't implement a TLS connection option. Anyway, this is easy enough to implement it seems by adding a call to ldap_start_tls($connection_handle) to his code. But that will need to be addressed to John.

But what concerns me is when I followed the authentication chain for timetrex I ran across:

Code: Select all

 if ( $ldap_data[$this->password_attribute] == $password ) {
  Debug::Text('LDAP authentication success! (z)', __FILE__, __LINE__, __METHOD__, 10);
  $retval = TRUE;
} else {
   Debug::Text('LDAP password comparison failed... LDAP Password attribute: '. $ldap_data[$this->password_attribute], __FILE__, __LINE__, __METHOD__, 10);
}
So ldap authentication expects the password to be in plaintext? Am I missing something here?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP password auth

Post by shaunw »

That is just one method that is used *only* if the password attribute is specified. If you don't specify the password attribute then it won't attempt to match that.
pribis
Posts: 86
Joined: Mon Apr 19, 2010 10:33 am

Re: LDAP password auth

Post by pribis »

Do you mean the Bind Password under the company ldap configuration in the gui?
pribis
Posts: 86
Joined: Mon Apr 19, 2010 10:33 am

Re: LDAP password auth

Post by pribis »

I think I answered my own question. So yes, the bind password. I don't store that in plaintext. But I don't need it I suppose. I do need it for a few other applications that need broader access to some user data, but not needed for here. Nonetheless I added a function to verify the password against the hash based on the hash prefix .

That said, there is still the ldap_start_tls issue. I did edit ADOdb to take care of this for my installation. So now I can connect using tls. But I don't like messing with that library. Any reason not to use php's own ldap functions for doing ldap authentication?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP password auth

Post by shaunw »

pribis wrote:I think I answered my own question. So yes, the bind password. I don't store that in plaintext. But I don't need it I suppose. I do need it for a few other applications that need broader access to some user data, but not needed for here. Nonetheless I added a function to verify the password against the hash based on the hash prefix .

That said, there is still the ldap_start_tls issue. I did edit ADOdb to take care of this for my installation. So now I can connect using tls. But I don't like messing with that library. Any reason not to use php's own ldap functions for doing ldap authentication?
Regarding start_tls, feel free to submit a issue or fix against ADODB here: https://github.com/ADOdb/ADOdb -- If it gets accepted then TimeTrex can automatically make use of it.
Post Reply