Jump to content

PHP with LDAP


hackalive

Recommended Posts

Hi guys,

 

So I am making a PHP site that I will host and others can make use of (after creating an account), however I want to integrate it with their local LDAP accounts/server.

 

I do not want to distribute copies of the software for them to put on their servers.

 

So I am thinking they would first need to visit myproduct.theircompany.com to login (this code would be on a server able to acces their LDAP server), which when it returns as authenticated (OK) it would then rediret to myproduct.com and have them as logged in.

 

Now my issue is, how do I stop people being able to spoof myproduct.com into thinking someone is logged in, how do I pass the data back from myproduct.theircompany.com to myproduct.com?

 

Any ideas?

 

Or questions?

 

Cheers

Link to comment
Share on other sites

I guess you could do a couple of approaches.

 

1. Host the login on your server.  Make myproduct.theircompany.com forward to the login page.

 

2. Host the login on your server, but on myproduct.theircompany.com use an include for the login form.  Looks like it is hosted on their server but in reality the form itself is included from your server.

 

3. Store session information in a database and use a custom session save handler.

Link to comment
Share on other sites

I recently did the same thing for work.

 

We used a very simple mechanism where we created a public / private key pair which both system where aware of.

 

On the client system you composer a querystring containing your public key and your data and your data hashed together with the private key.

 

Something like:

 

$private_key = 'fooisgood';

$s = 'public_key=thisisfoo&data=is_valid';

$hash = md5($s);

$s .= '&hash=' . $hash
You then send $s to your server system.

 

On the receiving end we can now validate that this string was sent from a system that knows our private key by checking it. eg;

 

$private_key = 'fooisgood';

$public_key = $_GET['public_key'];
$data       = $_GET['data'];
$hash       = $_GET['hash'];

if (md5("public_key={$public_key}&data={$data}") == $hash) {
  // is_valid is true.
}
Of course I wouldn't use md5 and we added a bunch more stuff to this including a timestamp so that each request only had a short lifespan (60 seconds), but you get the idea.

 

This is a VERY simple mechanism however. It is blown quite easily if your code gets distributed into the wrong hands as the algorithm is found out.

 

However, for a lot of cases, this mechanism is fine.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.