php Active Directory password encryption advice

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dajohnson1s
Forum Newbie
Posts: 19
Joined: Sat Nov 15, 2008 12:44 pm

php Active Directory password encryption advice

Post by dajohnson1s »

Hello,

I recently have made a connection for login validation to Active Directory via LDAP. I was provided a script from IT, I never paid much attention until I was 'finished' with my php version.

What I had noticed was, and I looked a several other examples, was that their code doesn't 'encode' or 'encrypt' user's passwords.

This is what I am referring to specifically:

Code: Select all

 
<?php
...
$pass = md5($_POST["pass"]);
...
AD ldap_bind()...
?>
 
Now, I may have missed something, but I thought the md5() takes the parm. and converts it to a hash value, correct?

And it made sense to do it this way, since from what I have researched on AD is that it does NOT allow passwords to be stored in plain text...and even goes as far as to do this conversion for you.

Not sure what to do, I asked IT about handling this matter. (When I do the md5() and try to validate with Active Directory...credentials fail) What IT has suggested, was setup a certificate and use https:// or maintain my own set of username/passwords.

Now for the advice, I am really only considering the first suggestion (certificate), then one of my friend's asked "why even worry about it"...what is the better road to take?

Thanks
joeynovak
Forum Commoner
Posts: 26
Joined: Sun May 10, 2009 11:09 am

Re: php Active Directory password encryption advice

Post by joeynovak »

You are right, md5 just hashes the argument you pass it.

I've read a few tutorials on how to authenticate with Active Directory, and I had some working code at a previous job. I think it is probably easier to look at how others do it in this case. There is a library here that does what you want: http://adldap.sourceforge.net/ They probably more details.

If you want to look at more example code, there are plugins for MediaWiki that authenticate with AD, you could look at those to see how they do it. I think SugarCRM might also have an Active Directory plugin that you can use as an example.

I'm pretty sure YOU don't have to encrypt the password, rather, the php ldap functions do that for you when you connect. (But I'm not 100% about that).

Happy Coding!

Joey
dajohnson1s
Forum Newbie
Posts: 19
Joined: Sat Nov 15, 2008 12:44 pm

Re: php Active Directory password encryption advice

Post by dajohnson1s »

Joey,

I believe you are correct about the ldap encrypting passwords. I am considering ssl certificate, but I am curious, if I have a certificate, and they are not using ldap + ssl, will it even matter? Sorry for my ignorance, I plan to research that today.

Daniel
joeynovak
Forum Commoner
Posts: 26
Joined: Sun May 10, 2009 11:09 am

Re: php Active Directory password encryption advice

Post by joeynovak »

Yeah, it won't matter at all. (I don't think)
Post Reply