dqftyn1717 2019-02-04 15:31
浏览 85


I am working on a website in PHP with a simple user authentication and CRUD with a LDAP. I have set rules in my AD to specify which groups can or cannot edit other groups and which attributes can edit users.

The problem is, after successfully binding the user to the AD and redirecting to another page, the session previously binded is gone.

Juste after the authentication and before the redirection, the function ldap_exop_whoami() returns me the DN of the user. But, after a redirection, it returns nothing.

I red on another post that "PHP LDAP doesn't support persistent connections." and this has been the only informations about this that i was able to find.

I need to keep the user session for user CRUD.

For example, if a user wants to edit it's password or it's first name, the ldap_mod_replace() will return "Insuficient access" surely because without proper session, the ldap might have tried an anonymous bind.

Is it normal that i cannot create simple user CRUD because of this behavior ?

For now, i see 2 solutions which aren't really security friendly.

  • The first would be to store user authentication informations and bind on each page.

  • The second would be to log as an admin each time there is an update. This is also wrong for security reasons, and it bypass all the AD configuration concerning users editions.

Am i supposed to work with this behavior ? Maybe i should use a library or something ? I'm a bit lost and all of my "solutions" aren't really good, so if anyone have a hint or an idea, i'll take it gladly.


  • 写回答

1条回答 默认 最新

  • dounaoji2054 2019-02-05 08:41

    The problem is not about LDAP, the problem is about HTTP.

    HTTP is a stateless protocol whereas LDAP is a stateful protocol.

    When you make a HTTP request, your PHP script is executed and terminated when the response is sent, which destroys what was created in the script (the same way a mysql connection is closed when a PHP script is terminated).

    The difference is that in mysql, the notion of each user uses its own credential to operate the MySQL databases is not used, you generally set a database user which acts as the user to perform the operations.

    In LDAP you want to change this behaviour because it is not secure, but ... it always was.

    So like in MySQL (for example), you will have to use something like a singleton which initiates your LDAP connection at the start of each PHP script when you need to connect to the LDAP server. To do this, as you said, you have 2 solutions :

    • Store the user credentials and use them to open the connection on each page
    • Use a technical account to make the requests

    The difference is that in LDAP Implementation there is mechanism which could allow the technical account to act as the user. And act as the user in the meaning that the modifications will be credited to the user (for example, it will be the user which will be referenced in the createdBy operational attribute fo the entry the user will create)

    Take a look on this document to see how to implement that behaviour :



    https://www.openldap.org/doc/admin24/sasl.html (Section 15.3. SASL Proxy Authorization)

    NOTE: You will need to check the LDAP implementation you use to see if this mechanism is supported.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?



    • ¥15 Qt 不小心删除了自带的类,该怎么办
    • ¥15 我需要在PC端 开两个抖店工作台客户端.(语言-java)
    • ¥15 有没有哪位厉害的人可以用C#可视化呀
    • ¥15 可以帮我看看代码哪里错了吗
    • ¥15 设计一个成绩管理系统
    • ¥15 PCL注册的选点等函数如何取消注册
    • ¥15 问一下各位,为什么我用蓝牙直接发送模拟输入的数据,接收端显示乱码呢,米思齐软件上usb串口显示正常的字符串呢?
    • ¥15 Python爬虫程序
    • ¥15 crypto 这种的应该怎么找flag?
    • ¥15 代码已写好,求帮我指出错误,有偿!