All geek questions in one place

Can an LDAP password modify an extended operation using PHP?

Using PHP, is it possible to perform LDAP Password Modify Extended Operation as specified in RFC 3062 ? The password hashing scheme in the LDAP directory I am working with may change periodically, so I understand that I cannot use the new password according to a specific scheme, for example {SHA}, I need to use the extended operation instead and let the directory do the hashing. It's right? The help page for ldap_set_option suggests that this is possible, but I am sure that I can not find any sample code anywhere on the Internet. Maybe I just lost my google foo. TIA

+4
source share
2 answers

LDAP clients should never pass pre-coded passwords to a directory server - passwords should always be sent in clear mode through a secure connection, because modern professional-quality catalog servers can only perform password quality checks and password history checks when they are presented with clear text passwords .

If PHP supports advanced operations and advanced responses, then the password changes the advanced operation (which requires an existing password and can generate a password if a new password is not specified) is supported. I am not a PHP expert, but I believe that set_option can be used for controls (which are operation bound), but I don't know if PHP supports advanced LDAP operations.

+1
source

If you handle password encryption on your side, then yes, you can use it for whatever encryption method you want.

For MD5: $ pass_ldap = '{MD5}'. base64_encode (package ('H *', md5 ($ pass)));

For SHA-1: $ pass_ldap = '{SHA}'. base64_encode (pack ('H *', sha1 ($ pass)));

Then you used ldap_modify to update an existing user password or ldap_add to add a new user with an encrypted password.

I did this, and I think the LDAP server uses the value "{}" to determine which format is used.

-2
source

Source: https://habr.com/ru/post/1396504/

More articles:


All Articles