Php Ldap Sanitizing and ldap bind
Question
I'm trying to authenticate users with ldap. I have the above code for sanitizing the user input.
function ldapSanitize($val) {
$sanitized=array('\\' => '\5c',
'*' => '\2a',
'(' => '\28',
')' => '\29',
"\x00" => '\00');
return str_replace(array_keys($sanitized),array_values($sanitized),$val);
I call the ldapSanitize for the username and the password like this
$uname = ldapSanitize($username);
$pass = ldapSanitize($password);
and the I use bind to authenticate a user
$ad = @ldap_connect(Config::ldaphost);
if ($ad) {
$bind = @ldap_bind($ad, $uname, $pass);
if ($bind) {
return true;
}
}
return false;
My problem is that if the password has the * character it transforms it to \\2a and the authentication fails. for example if the password is "somepassword*" it changes it to "somepassword\\2a" and the bind fails.
So I was wondering how I can sanitize the password but also be able to authenticate with bind.
2 answers
solution1
0 2019-05-21 08:28:33
You should not sanitize passwords. RFC 4511 says that textual passwords should be transfered as UTF-8. Non textual password must not be altered.
LDAP servers treat passwords as octet strings.
solution2
0 2021-11-05 03:16:59
Here is the relevant paragraph from RFC 4511 ( https://tools.ietf.org/search/rfc4511#section-4.2 ):
Textual passwords (consisting of a character sequence with a known
character set and encoding) transferred to the server using the
simple AuthenticationChoice SHALL be transferred as UTF-8 [RFC3629]
encoded [Unicode]. Prior to transfer, clients SHOULD prepare text
passwords as "query" strings by applying the SASLprep [RFC4013]
profile of the stringprep [RFC3454] algorithm. Passwords
consisting of other data (such as random octets) MUST NOT be
altered. The determination of whether a password is textual is a
local client matter.
Note that it states that the 'client should prepare text passwords as "query" strings' and references other standards.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.