Alberto Moreno <portsbsd(a)gmail.com> writes:
Hi people, I doing a web interface that will request a username +
password, like squirrelmail i will contact my ldap server, this app
will run on Centos 5.3, php 5.3, this will be where my web pages will
be, the ldap server is running on Gentoo with ldap 2.3.43.
My current problem is with the password, I have found small app that
wants to compare the input of the password vs the ldap password this
will let us identify the user.
This application is broken and raises a security issue. The proper way
is to do a bind with the provided credentials. Furthermore you cannot
do a ldapcompare with hashed passwords.
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6