LDAP Authentication using PEAR

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
papaxris
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 10:04 am

LDAP Authentication using PEAR

Post by papaxris »

Hello

I am writing a PHP LDAP authentication program for a class assignment using PEAR. The test LDAP server that we have implemented needs to recive the password encrypted in standard UNIX CRYPT. I am having trouble passing the password in an encrypted format using PEAR Auth.

When I analyze the network packets being sent from our PHP server to the LDAP server, I can see the password being sent is in cleartext form. How is it that I can configure PEAR Auth to send the password that I am passing in CRYPT format, instead of cleartext to the LDAP server? Any help or pointers would be greatly appreciated.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

pass the password through DES first.

http://php.net/mcrypt
papaxris
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 10:04 am

Post by papaxris »

feyd wrote:pass the password through DES first.

http://php.net/mcrypt
I assumed I needed to pass the password encrypted first. I already took the liberty of installing mcrypt on my PHP server. I am fairly new to PHP and I was having a very difficult time passing the password encrypted via a POST method (PEAR receives users information i.e. username and password via POST) in my script. After, I tried to alter the PEAR Auth file to spit the password info to the LDAP server encrypted, also with no successes.

What is the best way to pass the password information encrypted via the POST method? Is there a write-up on how to do this?

Thank you for your reply.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You want the password encrypted prior to your script being called? That'll require a Javascript implementation of DES to process the password before the submission gets sent.
papaxris
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 10:04 am

Post by papaxris »

feyd wrote:You want the password encrypted prior to your script being called? That'll require a Javascript implementation of DES to process the password before the submission gets sent.
I would like to avoid adding more complexity to this project (PEAR is an animal!), without using JavaScript. How would you suggest I use mcrypt with PEAR Auth for just the password field?

The script I wrote sends all the appropriate info including password (just not in CRYPT format). I can see the PHP server binding all the credentials and it goes thru the whole sequence until it asks for the password. I receive LDAP error 0x31 (which is an invalid credentials error, usually password related) then the LDAP server starts the unbind sequence and I'm back to square one.

Is there a way to utilize mcrypt in the PHP script or in PEAR Auth without using JavaScript?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you want the submitted data to your script already encrypted, there's no way around using Javascript. If you want to encrypt the submitted cleartext data, mcrypt can do that.

mcrypt_encrypt()
papaxris
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 10:04 am

Post by papaxris »

feyd wrote:If you want the submitted data to your script already encrypted, there's no way around using Javascript. If you want to encrypt the submitted cleartext data, mcrypt can do that.

mcrypt_encrypt()
Hi feyd

Is the fetchData() method in the LDAP container (ldap.php) what sends the username/password to the LDAP server?

If so, would this be the line that I need to modify if I went the mcrypt route?

if (@ldap_bind($this->conn_id, $user_dn, $password)) {
$this->_debug('Bind successful', __LINE__);

Or is all the authentication done via auth.php?

Since I am new to PHP, I am having a hard time isolating what sends the username/password information to the LDAP server.

Thanks for all your help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Sorry, I wouldn't know. I don't use LDAP on any projects so I haven't had to deal with it.
papaxris
Forum Newbie
Posts: 7
Joined: Wed Apr 19, 2006 10:04 am

Floowowup

Post by papaxris »

This is a followup to my previous question. I solved this several weeks ago, and wanted to share my PEAR findings with the community.


if (@ldap_bind($this->conn_id, $user_dn, crypt($password))) {
$this->_debug('Bind successful', __LINE__);

Happy Coding

PapaXris
Post Reply