dqftyn1717 2019-02-04 15:31
浏览 85
已采纳

PHP LDAP会话持久性

I am working on a website in PHP with a simple user authentication and CRUD with a LDAP. I have set rules in my AD to specify which groups can or cannot edit other groups and which attributes can edit users.

The problem is, after successfully binding the user to the AD and redirecting to another page, the session previously binded is gone.

Juste after the authentication and before the redirection, the function ldap_exop_whoami() returns me the DN of the user. But, after a redirection, it returns nothing.

I red on another post that "PHP LDAP doesn't support persistent connections." and this has been the only informations about this that i was able to find.

I need to keep the user session for user CRUD.

For example, if a user wants to edit it's password or it's first name, the ldap_mod_replace() will return "Insuficient access" surely because without proper session, the ldap might have tried an anonymous bind.

Is it normal that i cannot create simple user CRUD because of this behavior ?

For now, i see 2 solutions which aren't really security friendly.

  • The first would be to store user authentication informations and bind on each page.

  • The second would be to log as an admin each time there is an update. This is also wrong for security reasons, and it bypass all the AD configuration concerning users editions.

Am i supposed to work with this behavior ? Maybe i should use a library or something ? I'm a bit lost and all of my "solutions" aren't really good, so if anyone have a hint or an idea, i'll take it gladly.

Thanks.

  • 写回答

1条回答 默认 最新

  • dounaoji2054 2019-02-05 08:41
    关注

    The problem is not about LDAP, the problem is about HTTP.

    HTTP is a stateless protocol whereas LDAP is a stateful protocol.

    When you make a HTTP request, your PHP script is executed and terminated when the response is sent, which destroys what was created in the script (the same way a mysql connection is closed when a PHP script is terminated).

    The difference is that in mysql, the notion of each user uses its own credential to operate the MySQL databases is not used, you generally set a database user which acts as the user to perform the operations.

    In LDAP you want to change this behaviour because it is not secure, but ... it always was.

    So like in MySQL (for example), you will have to use something like a singleton which initiates your LDAP connection at the start of each PHP script when you need to connect to the LDAP server. To do this, as you said, you have 2 solutions :

    • Store the user credentials and use them to open the connection on each page
    • Use a technical account to make the requests

    The difference is that in LDAP Implementation there is mechanism which could allow the technical account to act as the user. And act as the user in the meaning that the modifications will be credited to the user (for example, it will be the user which will be referenced in the createdBy operational attribute fo the entry the user will create)

    Take a look on this document to see how to implement that behaviour :

    http://php.net/manual/en/function.ldap-sasl-bind.php

    and

    https://www.openldap.org/doc/admin24/sasl.html (Section 15.3. SASL Proxy Authorization)

    NOTE: You will need to check the LDAP implementation you use to see if this mechanism is supported.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 将安全信息用到以下对象时发生以下错误:c:dumpstack.log.tmp 另一个程序正在使用此文件,因此无法访问
  • ¥15 速度位置规划实现精确定位的问题
  • ¥15 代码问题:df = pd.read_excel('c:\User\18343\Desktop\wpsdata.xlxs')路径读不到
  • ¥15 为什么视频算法现在全是动作识别?
  • ¥15 编写一段matlab代码
  • ¥15 用Python做岩石类别鉴定软件
  • ¥15 关于调取、提交更新数据库记录的问题
  • ¥15 之前删了盘从下vs2022遇见这个问题 搞了一整天了
  • ¥15 从Freecad中宏下载的DesignSPHysics,出现如下问题是什么原因导致的(语言-python)
  • ¥30 notepad++ 自定义代码补全提示