I recently have made a connection for login validation to Active Directory via LDAP. I was provided a script from IT, I never paid much attention until I was 'finished' with my php version.
What I had noticed was, and I looked a several other examples, was that their code doesn't 'encode' or 'encrypt' user's passwords.
This is what I am referring to specifically:
Code: Select all
<?php
...
$pass = md5($_POST["pass"]);
...
AD ldap_bind()...
?>
And it made sense to do it this way, since from what I have researched on AD is that it does NOT allow passwords to be stored in plain text...and even goes as far as to do this conversion for you.
Not sure what to do, I asked IT about handling this matter. (When I do the md5() and try to validate with Active Directory...credentials fail) What IT has suggested, was setup a certificate and use https:// or maintain my own set of username/passwords.
Now for the advice, I am really only considering the first suggestion (certificate), then one of my friend's asked "why even worry about it"...what is the better road to take?
Thanks