stackoom
  简体   繁体   中英

PHP with TLS for secure LDAP

 原文  2016-07-02 11:14:01       php/ security/ ssl/ ldap

Question

I am trying to use remote LDAP server. For the purpose of security, I am trying to use only secure connection. I am able to get some code working but I am not sure, given the PHP documentation of start TLS itself, that if the following code works only on secure channel. Can anyone help with this please? 

$is_valid_user = FALSE;

try {
    $ds = ldap_connect('ldap.foo.com', 389);
    if (! ldap_set_option($ds, LDAP_OPT_REFERRALS, 0)) {
        return "";
    }

    if (! ldap_start_tls($ds)) {
        return "";
    }
} catch(Exception $e) {
    return "";
}

if (! ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
    $error = "LDAP Server protocol error.";
    return "";
}

try {
    $bnd = @ldap_bind($ds, 'uid='.$user.', ou=people, dc=ldap, dc=foo, dc=com' , $passwd);

    if ($bnd) {
        $is_valid_user = TRUE;

        $srch=ldap_search($ds, 'dc=ldap, dc=foo, dc=com', "uid=$user");
        $info=ldap_get_entries($ds, $srch);
        $userdn=$info[0]["dn"];
        $usernm=$info[0]["cn"][0];

        return $usernm;
    } else {
        return "";
    }
} catch(Exception $e) {
    return "";
}

1 answers

solution1
 1 ACCPTED  2016-07-02 20:31:13

Just a few general improvements below. And yes, how that's written it will not continue unless the connection is encrypted via TLS. The LDAP module doesn't throw any exceptions at the moment, so the try/catch block is not really needed. Hard to tell without seeing the rest of your code, but is there a reason you want to return an empty string instead of false or null or some sort of error message? 

$is_valid_user = false;

$ds = ldap_connect('ldap.foo.com', 389);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

if (!@ldap_start_tls($ds)) {
    return "";
}

$bindUser = 'uid='.ldap_escape($user, null, LDAP_ESCAPE_DN).',ou=people,dc=ldap,dc=foo,dc=com';
if (@ldap_bind($ds, $bindUser , $passwd)) {
    $is_valid_user = true;

    $srch = ldap_search($ds, $bindUser, '(objectClass=*)', ['cn']);
    $info = ldap_get_entries($ds, $srch);
    $userdn = $info[0]["dn"];
    $usernm = $info[0]["cn"][0];

    return $usernm;
} else {
    return "";
}

There are also several LDAP libraries available that make LDAP much easier with PHP. I would recommend LdapTools or adldap2 .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure LDAP PHP Script? php7 ldap connect and bind via TLS Secure LDAP works with PHP CLI but not through apache can not bind to the LDAP directory with secure connection with php Connecting to a non-secure LDAP server via PHP on a Secure Domain PHP - LDAP search working sporadically over TLS/SSL How to use multiple TLS certificates for LDAP from php/Zend? Enable TLS 1.2 for ldap_* functions in PHP 5.3 How do I solve ldap_start_tls() “Unable to start TLS: Connect error” in PHP? php LDAP bind on secure remote server Windows fail
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM