LDAP connection restricted to dynamic bind

Comments (5)

1. 

   viharm reporter

   • changed status to open

   Suggest adding this through the PHP ldap_bind function.

   Additional checks:

   • Add checks for bind credentials in input.
   • Add flags for authenticated bind, and if separate credentials not provided then use the credentials which will be subsequently used for authentication.

   • 2017-09-08T06:56:59+00:00
2. 

   viharm reporter

   • changed title to LDAP connection restricted to dynamic bind
   • edited description

   Assessment of issue was incorrect. phpLDAPauth does not use unauthenticated bind.

   The credentials of the user being validated are used to perform authenticated bind.

   The real issue is to have a logic for having a separate user to bind the directory with; and then authenticate the target user by performing search, etc.

   This is significantly differently to the current architecture of phpLDAPauth, but is a worthwhile improvement to the functionality. This will require a major rewrite of the authentication logic.

   • 2017-09-24T11:49:12+00:00
3. 

   viharm reporter

   Even if LDAP directory servers require a static user to bind with the directory, the counter-proposal is to ignore such static credentials and use the target credentials to bind. This ensures that the authentication process is carried out by the directory service.

   The only other alternative to deploy this logic is as follows:

   1. The static user binds to the directory by authenticating themself.
   2. The static user searches the directory for the target user (user being authenticated).
   3. If found, the static user retrieves the target user’s details from the directory.
   4. phpLDAPauth compares the supplied password with the one stored in the directory. This may need pass the hashing method to phpLDAPauth.

   A separate study will need to be carried out if LDAP servers allow reading of users' passwords by a static user.

   This will be demoted to a low-priority item, and will only be done if there is sufficient demand. Retrieving user’s details will be done as part of #7.

   ‌

   • 2019-12-30T13:55:15+00:00
4. 

   viharm reporter

   • removed milestone
   • removed version
   • marked as minor

   • 2019-12-30T13:55:42+00:00
5. 

   viharm reporter

   • changed status to on hold

   Even if LDAP directory servers require a static user to bind with the directory, the counter-proposal is to ignore such static credentials and use the target credentials to bind. This ensures that the authentication process is carried out by the directory service.

   The only other alternative to deploy this logic is as follows:

   The static user binds to the directory by authenticating themself.

   The static user searches the directory for the target user (user being authenticated).

   If found, the static user retrieves the target user’s details from the directory.

   phpLDAPauth compares the supplied password with the one stored in the directory. This may need pass the hashing method to phpLDAPauth.

   A separate study will need to be carried out if LDAP servers allow reading of users' passwords by a static user.

   This will be demoted to a low-priority item, and will only be done if there is sufficient demand. Retrieving user’s details will be done as part of #7.

   • 2019-12-30T13:56:08+00:00
6. Log in to comment