TimeTrex Time and Attendance


https://forums.timetrex.com/

LDAP password auth

https://forums.timetrex.com/viewtopic.php?t=7048

Page 1 of 1

LDAP password auth

Posted: Fri Feb 05, 2016 9:38 am
by pribis
Hi,

I've written before about this and kind of dropped it. Now I have to pick it up again because in a company that uses a bunch of different software solutions, being able to change all of the passwords from one spot is suddenly important. TimeTrex allows for LDAP auth. But only SSL, not TLS. TimeTrex is using the adodb php library by john lim. And for some strange reason he doesn't implement a TLS connection option. Anyway, this is easy enough to implement it seems by adding a call to ldap_start_tls($connection_handle) to his code. But that will need to be addressed to John.

But what concerns me is when I followed the authentication chain for timetrex I ran across:

Code: Select all

 if ( $ldap_data[$this->password_attribute] == $password ) {
  Debug::Text('LDAP authentication success! (z)', __FILE__, __LINE__, __METHOD__, 10);
  $retval = TRUE;
} else {
   Debug::Text('LDAP password comparison failed... LDAP Password attribute: '. $ldap_data[$this->password_attribute], __FILE__, __LINE__, __METHOD__, 10);
}
So ldap authentication expects the password to be in plaintext? Am I missing something here?

Re: LDAP password auth

Posted: Fri Feb 05, 2016 10:49 am
by shaunw
That is just one method that is used *only* if the password attribute is specified. If you don't specify the password attribute then it won't attempt to match that.

Re: LDAP password auth

Posted: Fri Feb 05, 2016 12:16 pm
by pribis
Do you mean the Bind Password under the company ldap configuration in the gui?

Re: LDAP password auth

Posted: Fri Feb 05, 2016 12:28 pm
by pribis
I think I answered my own question. So yes, the bind password. I don't store that in plaintext. But I don't need it I suppose. I do need it for a few other applications that need broader access to some user data, but not needed for here. Nonetheless I added a function to verify the password against the hash based on the hash prefix .

That said, there is still the ldap_start_tls issue. I did edit ADOdb to take care of this for my installation. So now I can connect using tls. But I don't like messing with that library. Any reason not to use php's own ldap functions for doing ldap authentication?

Re: LDAP password auth

Posted: Fri Feb 05, 2016 1:09 pm
by shaunw
pribis wrote:I think I answered my own question. So yes, the bind password. I don't store that in plaintext. But I don't need it I suppose. I do need it for a few other applications that need broader access to some user data, but not needed for here. Nonetheless I added a function to verify the password against the hash based on the hash prefix .

That said, there is still the ldap_start_tls issue. I did edit ADOdb to take care of this for my installation. So now I can connect using tls. But I don't like messing with that library. Any reason not to use php's own ldap functions for doing ldap authentication?
Regarding start_tls, feel free to submit a issue or fix against ADODB here: https://github.com/ADOdb/ADOdb -- If it gets accepted then TimeTrex can automatically make use of it.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited