I have a client, a REST API server, and an LDAP server. I'd like the client to authenticate into the API using LDAP authentication, however I would like to avoid sending plaintext passwords.
How can I perform and PHP LDAP authentication using a hash instead of plaintext passwords?
分享 That's not possible in this way. So you don't want to store the plaintext password on the client side, just the hash, and send nothing but the hash to the server. Now noone can get at the real password by a) reading the client config file or b) using a network trace tool like wireshark. But, in this scenario, the server can't know if the client knows the password or just the hash, so it trusts the hash alone. Which means anybody who can get the hash can use it instead of the password, so you gain no security at all.
The correct thing to do is to setup your ldap server in a way that enables ssl-encryption, and to tell php to use the ssl encryption when connecting. From the PHP docs:
<?php
$ldaphost = "ldaps://ldap.example.com/";
$ldapconn = ldap_connect( $ldaphost )
or die( "Cannot connect" );
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
?>
note the ldap*s* in the URL.
To use SSL, you need a certificate as well -- otherwise the client doesn't know the server is the real server, and could possible send the credentials to a different server which is impersonating the real one.
分享
