I'm currently integrating LDAP Authentication. I'm able to connect to my LDAP AD server, and query it for data anonymously, which is fine. I'm trying to authenticate users now, and when I enter my username and a random password, it successfully fails, and when I enter my real password, it successfully passes, however I'm able to enter MOST of my correct password, and it still passes.
e.g.:
Username: user1
Password: RandomPassword1
(works)
Username: user1
Password: Random
(fails)
Username: user1
Password: RandomPasswo
(works???)
So now I'm curious if Active Directory maybe doesn't check the whole password, maybe it can't, or maybe the hashing algorithm it uses generates the same hash code for RandomPassword1 as RandomPasswo?
I guess my question is that^, but also is there a way to ensure it authenticates properly? I haven't tested this with other passwords, as I don't have access to other accounts to test this with, however it definitely works when the password is RandomPassword1 (which happens to have been my password, yes - I've changed it now)
Edit: My LDAP Binding code:
function validateLoginDetails($username, $password) {
$ldap_connection = ldap_connect("server", 389);
if($ldap_connection === FALSE) {
echo "Unable to connect.";
} else {
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die("Could not set version.");
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);
}
$r = @ldap_bind(@$ldap_connection, "uid=".$username.",ou=People,o=Foo", $password);
if(!$r) {
return false;
} else {
return true;
}
}
(Note that using the same connection, I'm able to list all users and their info, and it does reject a randomly mashed password, but it accepts as I said, a half-complete password. Maybe this is an option in AD or LDAP?)
(I've also realised that even though I've changed my password, my new password doesn't work, but the old password, RandomPassword1, still does, but I'm assuming this is because maybe AD takes a while to update or something? I'm not sure.)