Not yet, i am at work all my work is on my pc at home, but i will try it when i get home.
thanks
Can't wait to get home to try it out
ldap & php authentication
As normal, you are right again, it still works with
ldap_bind($ldap['conn']);
so now i have the anonymous bind and when the user name and password are found the user can log in to the application.
Ok now having spoke to my system admin. He said he thinks what i need to try do is
Bind anonymously
search for username eg the value of uname
find a matching cn
get the dn
possibly unbind or something
rebind with dn and (password entered)
if succesful combination of password and username let them in.
he said that is a more better way of doing it
Yes,
you can do it that way. You can get the dn out of the array the ldap search returns (look at that "rearranged array" I posted, I think the index was "dn" or something like that). Then try to rebind with that dn and the given password.
Thomas
ok I found this array u posted
<?php
Array (
[count] => 1
[0] => Array ( [count] => 4
[0] => objectclass
[1] => userpassword
[2] => uid
[3] => cn
[objectclass] => Array ( [count] => 4
[0] => top
[1] => simpleSecurityObject
[2] => uidObject
[3] => organizationalRole
)
[userpassword] => Array ( [count] => 1
[0] => password1
)
[uid] => Array ( [count] => 1
[0] => testuser
)
[cn] => Array ( [count] => 1
[0] => Some Testuser
)
[dn] => uid=testuser,ou=users,dc=mydomain,dc=com
)
)
?>
Now if i dont understand it fully but i will explain what i have i done. I have taken out stuff that i don't think i need. The only important thing is cn. however my question test user is hardcoded in your array but im guessing it shouldnt be becuase we dont know who is gonna log in.
<?php
Array (
[count] => 1
[0] => Array ( [count] => 2
[0] => objectclass
[1] => cn
[objectclass] => Array ( [count] => 4
[0] => top
[1] => simpleSecurityObject
[2] => uidObject
[3] => organizationalRole
[uid] => Array ( [count] => 1
[0] => testuser
)
[cn] => Array ( [count] => 1
[0] => Some Testuser
)
[dn] => uid=testuser,ou=users,dc=mydomain,dc=com
)
)Hi,
let's say you do the ldap_search and store the result in
$ldap['data'].
Then use
$ldap['data'][0]['dn'] as user dn and the posted password as password in ldap_bind.
Do not use the cn (Some Testuser).
Thomas
ok well i think i need to let u know some more stuff now, my system admin thinks that the way i have my password stuff set is not the best way. He thinks that its not good practice to have a password field in the ldap server, especially the one i have created, especially from a security point of view. He said it should be hidden and that there is prolly a way of setting the 'real' password by a function or something and that there should be no reference to it in my script. he showed me entries in his ldap server and indeed no password field was there. he said basically search for a matching cn and then after you rebind it should just verify the username and password.
Does this make sense to you, it took me a little while to understand.
He also proved it to me i think by trying to log in as testuser with the password i has set in the password field, and sure enough i couldn't log in.
I have attached a screen shot of the screen that i thought would have accepted my password that i had set for testuser, but in fact didn't .
u still with me on this
Hi,
you can set the server ACLs (access control lists) so that the users can modify but not view the passwords. Add something like this to your slapd.conf
access to dn=".*,dc=mydomain,dc=com" attr=userPassword
by dn="cn=Manager,dc=mydomain,dc=com" write
by self write
by * auth
access to dn=".*,ou=People,dc=mydomain,dc=com"
by * read
access to dn=".*,dc=mydomain,dc=com"
by self write
by * read
You can add additional ACLs depending on what you want to allow the users to do.
With the first ACL the Manager and the owner of an entry can change the password but the password attribute cannot be seen by anyone. Additionally, the ACL permits access for authentication/binding purposes.
The second ACL is a very restrictive one. It marks everything below ou=People read only so no user can chage anything despite the password.
The third ACL allows all users to change attributes of their own entries (exception: the entries in ou=People) and to read anything else.
Depending on what you want to allow you might need to use less restrictive or more restrictive ACLs.
Thomas
P.S.: There is no attachment to your post.
Hi Thomas,
the information u have provided is all well and good and useful for my overall understanding. However at this momment in time im trying to just allow the user to log in and use the web application. I appreciate that if i have different sets of users eg technicans etc that they may wish to have addittional access rights.
Are you able to help me adjust the code that we have at the momment so that the user can
Bind anonymously
search for username eg the value of uname
find a matching cn
get the dn
possibly unbind or something
rebind with dn and (password entered)
if succesful combination of password and username let them in.
As you pointed out and showed me we can now bind anonmously, but it would be really cool if we could do the other steps if possible
what do u think
cheers
Ok,
give me some time 
Thomas
no worries dude, im right here if you need me to do anything at all.
thanks
Ok,
post the scripts you have so far.
Thomas
ok well i have attached the last working version we have.
Hi,
try the attached script. It worked on myserver.
If it works (which I hope) I'd suggest to set at least the the ACL that hides the password.
Thomas
ok i have tried to use the script with my system admins server. He set up a test user for to practice with.
so i made changes to the base name and ip address to reflect his ldap server details.
i login in with the username that is the same name as the cn on his ldap server.
when i attmept to login through the browser i get the following error message
'Error: No such user found'
but we know there is a user, so im wondering where im going wrong. I suspect it's our side of things.
Just a note, but i cant see the inital anonoymous bind
Hi,
that's right, you can't see the initial anonymous bind
I just use the connection id for the search without using ldap_bind at all. So I do the search anonymously.
About that authentication problem with that other server. Try to change the filter in ldap_search to (cn={$data['uname']})
On your local server you use uid=...,ou=People,cn=mydomain,cn=com
On that other server it might be e.g.
cn=...,ou=People,cn=mydomain,cn=com
On my test server I had cn=... so I had to test it with (cn={$data['uname']}) in my case. With uid= I got just the same "no such user found" result.
Thomas
once again, you have done it, you are a genius, i have to ask you how on earth did u bind anonymously without writing any code.
Also shall i take out the refrences to uid in the script
Hi,
about that uid=,cn= stuff:
You need to adjust the ldap filter depending on the data stored in the ldap server.
If you have e.g. just
cn=A User,ou=People,dc=mydomain,dc=com
with the attribute
cn=A User
you need to use (cn=A User)
If you have e.g.
cn=A User,ou=People,dc=mydomain,dc=com
and the attributes
cn=A User
uid=alogin
where uid is the login posted by a form you would do a search for
(uid=alogin)
and get the dn which is
cn=A User,ou=People,dc=mydomain,dc=com in this case.
Then you'd try to bind with
cn=A User,ou=People,dc=mydomain,dc=com
and the password submitted by the form.
Generally:
Take the username posted by the form, search on the ldap server with
(attribute=username)
where attribute is uid or cn or .... depending on which of the attributes holds the username. Then get the complete dn and try to bind with that dn and the given password.
Thomas
About that anonymous bind.
connecting to the server (and then using that connection resource) without using ldap_bind is just an anonymous bind
Which data to store in the session depends on what you want to do with the data. You might want to store just a flag that the user has been authenticated along with the username if it is unique. Or store the dn ... depends on what you want to do later.
It is more important to secure your ldap server to make sure that nobody can read confidential data by binding anonymously and doing some queries.
Thomas
you make it sound so simple, you must be a teacher or lecturer.
also, may i ask if this is OO php. The fisrt few lines of the script and elsewhere in it i see one variable holding multiple values. like below the variable $ldap is holding the, port, base and array
$ldap["port"] = 389;
$ldap["base"] = "ou=staff,o=hcc";
$ldap["info"] = array();
Hi Thomas,
Now that we have this working, the next thing that could be done is to detect the type of user. Not sure how this could be done.
eg if a technican logs in they get taken to the the page called tech.php but if its a normal user they get taken to index.php.
so i need and if statment here. how would we test to see if its a technican cn or id