29 Sep
2009
29 Sep
'09
10:32 p.m.
Alberto Moreno portsbsd@gmail.com writes:
Hi people, I doing a web interface that will request a username + password, like squirrelmail i will contact my ldap server, this app will run on Centos 5.3, php 5.3, this will be where my web pages will be, the ldap server is running on Gentoo with ldap 2.3.43.
My current problem is with the password, I have found small app that wants to compare the input of the password vs the ldap password this will let us identify the user.
This application is broken and raises a security issue. The proper way is to do a bind with the provided credentials. Furthermore you cannot do a ldapcompare with hashed passwords. [...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E