Page 1 of 1

LDAP Authentication using PEAR

Posted: Wed Apr 19, 2006 10:13 am
by papaxris
Hello

I am writing a PHP LDAP authentication program for a class assignment using PEAR. The test LDAP server that we have implemented needs to recive the password encrypted in standard UNIX CRYPT. I am having trouble passing the password in an encrypted format using PEAR Auth.

When I analyze the network packets being sent from our PHP server to the LDAP server, I can see the password being sent is in cleartext form. How is it that I can configure PEAR Auth to send the password that I am passing in CRYPT format, instead of cleartext to the LDAP server? Any help or pointers would be greatly appreciated.

Posted: Wed Apr 19, 2006 10:34 am
by feyd
pass the password through DES first.

http://php.net/mcrypt

Posted: Wed Apr 19, 2006 10:46 am
by papaxris
feyd wrote:pass the password through DES first.

http://php.net/mcrypt
I assumed I needed to pass the password encrypted first. I already took the liberty of installing mcrypt on my PHP server. I am fairly new to PHP and I was having a very difficult time passing the password encrypted via a POST method (PEAR receives users information i.e. username and password via POST) in my script. After, I tried to alter the PEAR Auth file to spit the password info to the LDAP server encrypted, also with no successes.

What is the best way to pass the password information encrypted via the POST method? Is there a write-up on how to do this?

Thank you for your reply.

Posted: Wed Apr 19, 2006 10:49 am
by feyd
You want the password encrypted prior to your script being called? That'll require a Javascript implementation of DES to process the password before the submission gets sent.

Posted: Wed Apr 19, 2006 11:05 am
by papaxris
feyd wrote:You want the password encrypted prior to your script being called? That'll require a Javascript implementation of DES to process the password before the submission gets sent.
I would like to avoid adding more complexity to this project (PEAR is an animal!), without using JavaScript. How would you suggest I use mcrypt with PEAR Auth for just the password field?

The script I wrote sends all the appropriate info including password (just not in CRYPT format). I can see the PHP server binding all the credentials and it goes thru the whole sequence until it asks for the password. I receive LDAP error 0x31 (which is an invalid credentials error, usually password related) then the LDAP server starts the unbind sequence and I'm back to square one.

Is there a way to utilize mcrypt in the PHP script or in PEAR Auth without using JavaScript?

Posted: Wed Apr 19, 2006 11:20 am
by feyd
If you want the submitted data to your script already encrypted, there's no way around using Javascript. If you want to encrypt the submitted cleartext data, mcrypt can do that.

mcrypt_encrypt()

Posted: Thu Apr 20, 2006 10:39 am
by papaxris
feyd wrote:If you want the submitted data to your script already encrypted, there's no way around using Javascript. If you want to encrypt the submitted cleartext data, mcrypt can do that.

mcrypt_encrypt()
Hi feyd

Is the fetchData() method in the LDAP container (ldap.php) what sends the username/password to the LDAP server?

If so, would this be the line that I need to modify if I went the mcrypt route?

if (@ldap_bind($this->conn_id, $user_dn, $password)) {
$this->_debug('Bind successful', __LINE__);

Or is all the authentication done via auth.php?

Since I am new to PHP, I am having a hard time isolating what sends the username/password information to the LDAP server.

Thanks for all your help.

Posted: Thu Apr 20, 2006 10:54 am
by feyd
Sorry, I wouldn't know. I don't use LDAP on any projects so I haven't had to deal with it.

Floowowup

Posted: Fri May 05, 2006 11:31 am
by papaxris
This is a followup to my previous question. I solved this several weeks ago, and wanted to share my PEAR findings with the community.


if (@ldap_bind($this->conn_id, $user_dn, crypt($password))) {
$this->_debug('Bind successful', __LINE__);

Happy Coding

PapaXris