Page 1 of 1

php Active Directory password encryption advice

Posted: Fri Jul 31, 2009 12:14 am
by dajohnson1s
Hello,

I recently have made a connection for login validation to Active Directory via LDAP. I was provided a script from IT, I never paid much attention until I was 'finished' with my php version.

What I had noticed was, and I looked a several other examples, was that their code doesn't 'encode' or 'encrypt' user's passwords.

This is what I am referring to specifically:

Code: Select all

 
<?php
...
$pass = md5($_POST["pass"]);
...
AD ldap_bind()...
?>
 
Now, I may have missed something, but I thought the md5() takes the parm. and converts it to a hash value, correct?

And it made sense to do it this way, since from what I have researched on AD is that it does NOT allow passwords to be stored in plain text...and even goes as far as to do this conversion for you.

Not sure what to do, I asked IT about handling this matter. (When I do the md5() and try to validate with Active Directory...credentials fail) What IT has suggested, was setup a certificate and use https:// or maintain my own set of username/passwords.

Now for the advice, I am really only considering the first suggestion (certificate), then one of my friend's asked "why even worry about it"...what is the better road to take?

Thanks

Re: php Active Directory password encryption advice

Posted: Fri Jul 31, 2009 12:54 am
by joeynovak
You are right, md5 just hashes the argument you pass it.

I've read a few tutorials on how to authenticate with Active Directory, and I had some working code at a previous job. I think it is probably easier to look at how others do it in this case. There is a library here that does what you want: http://adldap.sourceforge.net/ They probably more details.

If you want to look at more example code, there are plugins for MediaWiki that authenticate with AD, you could look at those to see how they do it. I think SugarCRM might also have an Active Directory plugin that you can use as an example.

I'm pretty sure YOU don't have to encrypt the password, rather, the php ldap functions do that for you when you connect. (But I'm not 100% about that).

Happy Coding!

Joey

Re: php Active Directory password encryption advice

Posted: Fri Jul 31, 2009 10:45 am
by dajohnson1s
Joey,

I believe you are correct about the ldap encrypting passwords. I am considering ssl certificate, but I am curious, if I have a certificate, and they are not using ldap + ssl, will it even matter? Sorry for my ignorance, I plan to research that today.

Daniel

Re: php Active Directory password encryption advice

Posted: Fri Jul 31, 2009 11:13 am
by joeynovak
Yeah, it won't matter at all. (I don't think)