http://www.perlmonks.org?node_id=250596


in reply to Re: RFC: Net::LDAP::Simple
in thread RFC: Net::LDAP::Simple

This question is OT from the original post.

I've a question about the authentication method you describe. What were the reasons to retrieve the password using an anonymous bind versus trying to bind with the username/password pair given? I'm doing similar work but our dir server does not allow an anonymous bind to retrieve the userPassword attribute.

Replies are listed 'Best First'.
Re: Re: Re: RFC: Net::LDAP::Simple
by submersible_toaster (Chaplain) on Apr 16, 2003 at 00:46 UTC

    Still a good question!
    The main reason (although it is not obvious from the code) is that there are many OUs beneath the userbase DN, for reasons too lengthy to explain here. Hence I cannot explicitly bind the given user as 

    $ldap->bind( "cn=$user,".$self->{ldap}{userbase} , 
        password=>$password )

    [download]
    Since that user may be in any of a number of sub OUs to the userbase. I admit that there was much "umm" and "err" about using an anonymous bind to find the user entry, then rebind with that DN and the supplied password. The directory in question is accessible only from 127.0.0.1 , and it is not involved in any way in storing system accounts. My concerns about userPassword hashes being stolen are largely moot, if they can only be accessed locally, if a malicious user is already local - I have more problems than them having anon read access to LDAP!.

    Please post some code if you can, or in the least read/comment my meditation that more fully explains what I am stabbing in the dark at.


    I can't believe it's not psellchecked
[reply]
[d/l]
      I'm not really sure what you asking for in the last sentence, but I did read your meditation about WIP delivery system. My taste is to leverage what already exists (in this case using an ldap bind call to authenticate users). Do you ever anticipate implementing a password policy that requires changes (e.g. once a quarter)? In my project I have to be able to support a password policy for accounts in the directory -- so I think my authentication method has to be a bind as the user. Our directory is public so I don't think allowing anonymous access to userPassword would be a good idea.

      Read more... (635 Bytes)
[reply]
[d/l]

In Section Seekers of Perl Wisdom