PHP LDAP会话持久性

I am working on a website in PHP with a simple user authentication and CRUD with a LDAP. I have set rules in my AD to specify which groups can or cannot edit other groups and which attributes can edit users.

The problem is, after successfully binding the user to the AD and redirecting to another page, the session previously binded is gone.

Juste after the authentication and before the redirection, the function ldap_exop_whoami() returns me the DN of the user. But, after a redirection, it returns nothing.

I red on another post that "PHP LDAP doesn't support persistent connections." and this has been the only informations about this that i was able to find.

I need to keep the user session for user CRUD.

For example, if a user wants to edit it's password or it's first name, the ldap_mod_replace() will return "Insuficient access" surely because without proper session, the ldap might have tried an anonymous bind.

Is it normal that i cannot create simple user CRUD because of this behavior ?

For now, i see 2 solutions which aren't really security friendly.

The first would be to store user authentication informations and bind on each page.
The second would be to log as an admin each time there is an update. This is also wrong for security reasons, and it bypass all the AD configuration concerning users editions.

Am i supposed to work with this behavior ? Maybe i should use a library or something ? I'm a bit lost and all of my "solutions" aren't really good, so if anyone have a hint or an idea, i'll take it gladly.

Thanks.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dounaoji2054 2019-02-05 08:41
关注
The problem is not about LDAP, the problem is about HTTP.

HTTP is a stateless protocol whereas LDAP is a stateful protocol.

When you make a HTTP request, your PHP script is executed and terminated when the response is sent, which destroys what was created in the script (the same way a mysql connection is closed when a PHP script is terminated).

The difference is that in mysql, the notion of each user uses its own credential to operate the MySQL databases is not used, you generally set a database user which acts as the user to perform the operations.

In LDAP you want to change this behaviour because it is not secure, but ... it always was.

So like in MySQL (for example), you will have to use something like a singleton which initiates your LDAP connection at the start of each PHP script when you need to connect to the LDAP server. To do this, as you said, you have 2 solutions :

Store the user credentials and use them to open the connection on each page

Use a technical account to make the requests

The difference is that in LDAP Implementation there is mechanism which could allow the technical account to act as the user. And act as the user in the meaning that the modifications will be credited to the user (for example, it will be the user which will be referenced in the createdBy operational attribute fo the entry the user will create)

Take a look on this document to see how to implement that behaviour :

http://php.net/manual/en/function.ldap-sasl-bind.php

and

https://www.openldap.org/doc/admin24/sasl.html (Section 15.3. SASL Proxy Authorization)

NOTE: You will need to check the LDAP implementation you use to see if this mechanism is supported.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP LDAP会话持久性 php
2019-02-04 15:31

回答 1 已采纳 The problem is not about LDAP, the problem is about HTTP. HTTP is a stateless protocol whereas LD
PHP LDAP绑定间歇性问题 php
2013-08-28 21:33

回答 3 已采纳 Make sure you give the full DNS name for the ldap_host, e.g. myhost.mydomain.com.
LDAP CHANGE PASSWORD PHP php ssl
2018-06-06 04:04

回答 1 已采纳 You need to be on a secured connection to modify a password (and probably other security related o
php.ini配置中文详解
2023-03-17 11:10

二零久八的博客此指令描述了PHP注册GET, POST, Cookie, 环境和内置变量的顺序 (各自使用G, P, C, E 和 S , 一般使用 EGPCS 或 GPC). 注册使用从左往右的顺序, 新的值会覆盖旧的值.mysqli_connect()默认的端口号. 如果没有设置, ...
PHP LDAP - 获取内部字段 php
2016-09-29 05:54

回答 2 已采纳 You can retrieve them using '+' as attribute-name. So you should be able to fetch them using ldap
PHP组的LDAP成员 php windows
2016-05-13 11:37

回答 1 已采纳 You might want to have a look at this stack-overflow question to see how to solve it without a lib
php ldap检索dn的值 php
2016-05-24 06:30

回答 1 已采纳 Because of ou and dc might have multiple values, you should store those values in array. Thanks to
php常见的45个漏洞及解决方案
2024-03-06 10:14

极致人生-010的博客 php常见45个漏洞及解决方案
PHP LDAP克服大小限制 php
2014-07-23 14:33

回答 1 已采纳 According to php.net/manual/...ldap-search, you should set the $sizelimit parameter to 0 to disab
保持LDAP会话 php
2012-11-16 18:59

回答 3 已采纳 PHP LDAP doesn't support persistent connections. Depending on what kind of LDAP queries you're do
从外部访问phpldap管理员 php
2015-12-07 22:19

回答 1 已采纳 I could access by correcting the url : it is a secure one, so using https://@IP-internet-box/myorg
php笔记
2021-10-11 18:20

liujiaping的博客【1】windows下php运行环境安装【2】php连接MySQL 【3】centos7下用yum的方式安装php7.2 【4】编译式安装php 【5】php日志文件【6】php.ini配置【7】php-fpm.conf重要参数详解【8】扩展mysql 【1】windows下php...
PHP LDAP，ldap_search只返回少数用户 php
2017-03-06 15:55

回答 1 已采纳 try to play with the scope (it can be sub, one, or base), if you want all entries from child OUs,
php8.0.0 正式版发布
2020-12-14 15:00

hartyu的博客下载地址：https://windows.php.net/download/ 2020年11月26日 BZ2：修复了错误＃71263（fread（）不报告bzip2.decompress错误）。 CLI：允许调试服务器通过-S localhost：0绑定到临时端口。 COM： ...
php配置文件详解(phg.ini php-fpm.conf)
2019-10-24 22:58

向上攀登的菜鸡的博客 #vim /etc/php.ini [PHP] #语言选项engine = On #php脚本语言，使其在Apache下生效(默认是on)short_open_tag = On #允许tags被识别(默认是off)asp_tags = Off #允许ASP-style tags(...
没有解决我的问题, 去提问

悬赏问题

¥15 Stata链式中介效应代码修改
¥15 latex投稿显示click download
¥15 请问读取环境变量文件失败是什么原因？
¥15 在若依框架下实现人脸识别
¥15 网络科学导论，网络控制
¥100 安卓tv程序连接SQLSERVER2008问题
¥15 利用Sentinel-2和Landsat8做一个水库的长时序NDVI的对比，为什么Snetinel-2计算的结果最小值特别小，而Lansat8就很平均
¥15 metadata提取的PDF元数据，如何转换为一个Excel
¥15 关于arduino编程toCharArray()函数的使用
¥100 vc++混合CEF采用CLR方式编译报错

PHP LDAP会话持久性

1条回答 默认 最新

悬赏问题

1条回答默认最新