Geek Answers Handbook

PHP LDAP Authentication - Passwordless Authentication

I get weird behavior in my LDAP authentication, I need this to authenticate users with their AD credentials, here is what I have:

session_start(); $adServer = "MY IP"; $ldapconn = ldap_connect($adServer) or $this->msg = "Could not connect to LDAP server."; $ldaprdn = "DOMAIN\\" . $_POST["username"]; $ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]); if ($ldapbind) { //$msg = "Successfully Authenticated"; $_SESSION['loggedin'] = 1; $_SESSION['username'] = $username; header("Location: ../main.php"); } else { header("Location: ../index.php?login_failed=1"); }

These are the different types of behavior that I get:

  • No username / no password = authenticated (BAD)
  • Username / No Password = authenticated (BAD)
  • Invalid username / password (both fields provided) = not authenticated
  • Valid username / password (both fields provided) = authenticated

Itโ€™s hard for me to find this, all users are checked if the password field is not used. But if I use the password field, it only authenticates users with the correct credentials.

Am I doing something wrong here or do I need to start nagging IT people?

+4
source share
3 answers

After a series of studies, I came to the conclusion that the LDAP server we use allows anonymous bindings.

More details here: https://issues.jfrog.org/jira/browse/RTFACT-3378

WARNING: Attempting to bind with an empty password always succeeds because LDAP considers this an โ€œanonymousโ€ binding, even if a username is specified. Always verify a blank password before binding.

To get around this, now I check the password input field in PHP:

 if (strlen(trim($user_pass)) == 0) { //login failed } else { $ldaprdn = "DOMAIN\\" . $_POST["username"]; $ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]); }

A blank password entry (or spaces) always returns a login error.

+7
source

Using the โ€œsimpleโ€ BIND verification method, there are four possibilities:

  • null DN, empty password (anonymous): no authentication, therefore this session and authorization state are unsafe
  • DN, blank password (unauthenticated): No authentication, therefore this session and authorization state are unsafe.
  • DN and password: Authentication is being performed and either is being executed or it is failing
  • null DN, password: authentication is not performed, therefore this session and authorization state are unsafe.

3D is the only one in which authentication takes place. Properly configured LDAP directory servers will reject the other 3 possibilities because, contrary to the assertion, authentication fails. An API method that does not throw an exception or returns true does not indicate whether authentication has been made. The BIND result contains an integer result code that indicates that authentication was successful or not.

see also

+7
source

Before applying to IT professionals, check if the value in the line has passed

$ ldapbind = ldap_bind ($ ldapconn, $ ldaprdn, $ _POST ["password"]);

Right, you probably already checked this, but do

var_dump ($ ldaprdn); var_dump ($ _ POST ["password"]);

and make sure the data is accurate.

Manually enter data as

$ ldapbind = ldap_bind ($ ldapconn, "username", "password");

Also check if you need to specify all DNs, for example CN = Username, DC = xxx, DC = com for the username.

Also sometimes you need to specify a name, for example, "Username" and not "user.name", because it can be saved.

If all this fails, you can eat the head of IT professionals: -P

+2
source

More articles:


All Articles