PHP LDAP会话持久性

I am working on a website in PHP with a simple user authentication and CRUD with a LDAP. I have set rules in my AD to specify which groups can or cannot edit other groups and which attributes can edit users.

The problem is, after successfully binding the user to the AD and redirecting to another page, the session previously binded is gone.

Juste after the authentication and before the redirection, the function ldap_exop_whoami() returns me the DN of the user. But, after a redirection, it returns nothing.

I red on another post that "PHP LDAP doesn't support persistent connections." and this has been the only informations about this that i was able to find.

I need to keep the user session for user CRUD.

For example, if a user wants to edit it's password or it's first name, the ldap_mod_replace() will return "Insuficient access" surely because without proper session, the ldap might have tried an anonymous bind.

Is it normal that i cannot create simple user CRUD because of this behavior ?

For now, i see 2 solutions which aren't really security friendly.

The first would be to store user authentication informations and bind on each page.
The second would be to log as an admin each time there is an update. This is also wrong for security reasons, and it bypass all the AD configuration concerning users editions.

Am i supposed to work with this behavior ? Maybe i should use a library or something ? I'm a bit lost and all of my "solutions" aren't really good, so if anyone have a hint or an idea, i'll take it gladly.

Thanks.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dounaoji2054 2019-02-05 08:41
关注
The problem is not about LDAP, the problem is about HTTP.

HTTP is a stateless protocol whereas LDAP is a stateful protocol.

When you make a HTTP request, your PHP script is executed and terminated when the response is sent, which destroys what was created in the script (the same way a mysql connection is closed when a PHP script is terminated).

The difference is that in mysql, the notion of each user uses its own credential to operate the MySQL databases is not used, you generally set a database user which acts as the user to perform the operations.

In LDAP you want to change this behaviour because it is not secure, but ... it always was.

So like in MySQL (for example), you will have to use something like a singleton which initiates your LDAP connection at the start of each PHP script when you need to connect to the LDAP server. To do this, as you said, you have 2 solutions :

Store the user credentials and use them to open the connection on each page

Use a technical account to make the requests

The difference is that in LDAP Implementation there is mechanism which could allow the technical account to act as the user. And act as the user in the meaning that the modifications will be credited to the user (for example, it will be the user which will be referenced in the createdBy operational attribute fo the entry the user will create)

Take a look on this document to see how to implement that behaviour :

http://php.net/manual/en/function.ldap-sasl-bind.php

and

https://www.openldap.org/doc/admin24/sasl.html (Section 15.3. SASL Proxy Authorization)

NOTE: You will need to check the LDAP implementation you use to see if this mechanism is supported.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP LDAP会话持久性 php
2019-02-04 15:31

回答 1 已采纳 The problem is not about LDAP, the problem is about HTTP. HTTP is a stateless protocol whereas LD
PHP LDAP绑定间歇性问题 php
2013-08-28 21:33

回答 3 已采纳 Make sure you give the full DNS name for the ldap_host, e.g. myhost.mydomain.com.
LDAP CHANGE PASSWORD PHP php ssl
2018-06-06 04:04

回答 1 已采纳 You need to be on a secured connection to modify a password (and probably other security related o
php.ini配置中文详解
2023-03-17 11:10

二零久八的博客此指令描述了PHP注册GET, POST, Cookie, 环境和内置变量的顺序 (各自使用G, P, C, E 和 S , 一般使用 EGPCS 或 GPC). 注册使用从左往右的顺序, 新的值会覆盖旧的值.mysqli_connect()默认的端口号. 如果没有设置, ...
PHP LDAP - 获取内部字段 php
2016-09-29 05:54

回答 2 已采纳 You can retrieve them using '+' as attribute-name. So you should be able to fetch them using ldap
PHP组的LDAP成员 php windows
2016-05-13 11:37

回答 1 已采纳 You might want to have a look at this stack-overflow question to see how to solve it without a lib
php ldap检索dn的值 php
2016-05-24 06:30

回答 1 已采纳 Because of ou and dc might have multiple values, you should store those values in array. Thanks to
php常见的45个漏洞及解决方案
2024-03-06 10:14

极致人生-010的博客 php常见45个漏洞及解决方案
PHP LDAP克服大小限制 php
2014-07-23 14:33

回答 1 已采纳 According to php.net/manual/...ldap-search, you should set the $sizelimit parameter to 0 to disab
保持LDAP会话 php
2012-11-16 18:59

回答 3 已采纳 PHP LDAP doesn't support persistent connections. Depending on what kind of LDAP queries you're do
从外部访问phpldap管理员 php
2015-12-07 22:19

回答 1 已采纳 I could access by correcting the url : it is a secure one, so using https://@IP-internet-box/myorg
php笔记
2021-10-11 18:20

liujiaping的博客【1】windows下php运行环境安装【2】php连接MySQL 【3】centos7下用yum的方式安装php7.2 【4】编译式安装php 【5】php日志文件【6】php.ini配置【7】php-fpm.conf重要参数详解【8】扩展mysql 【1】windows下php...
PHP LDAP，ldap_search只返回少数用户 php
2017-03-06 15:55

回答 1 已采纳 try to play with the scope (it can be sub, one, or base), if you want all entries from child OUs,
php8.0.0 正式版发布
2020-12-14 15:00

hartyu的博客下载地址：https://windows.php.net/download/ 2020年11月26日 BZ2：修复了错误＃71263（fread（）不报告bzip2.decompress错误）。 CLI：允许调试服务器通过-S localhost：0绑定到临时端口。 COM： ...
【PHP】phpini配置文件中文翻译
2019-11-14 11:27

JackMa_的博客 [PHP] ;;;;;;;;;;;;;;;;;;;;;;; ; 关于 php.ini 配置文件 ; ;;;;;;;;;;;;;;;;;;;;;;; ; PHP 的初始化文件, 必须命名为 php.ini. ; 主要是用来负责PHP的配置. ; PHP 会尝试通过一些地址来寻找和加载配置. ; 比如有...
没有解决我的问题, 去提问

悬赏问题

¥20 求数据集和代码#有偿答复
¥15 关于下拉菜单选项关联的问题
¥20 java-OJ-健康体检
¥15 rs485的上拉下拉，不会对a-b<-200mv有影响吗，就是接受时，对判断逻辑0有影响吗
¥15 使用phpstudy在云服务器上搭建个人网站
¥15 应该如何判断含间隙的曲柄摇杆机构，轴与轴承是否发生了碰撞？
¥15 vue3+express部署到nginx
¥20 搭建pt1000三线制高精度测温电路
¥15 使用Jdk8自带的算法，和Jdk11自带的加密结果会一样吗，不一样的话有什么解决方案，Jdk不能升级的情况
¥15 画两个图 python或R

PHP LDAP会话持久性

1条回答 默认 最新

悬赏问题

1条回答默认最新