PHP SASL: Binding using certificates

[wyatt]

greets,

 

i've been diving through the ldap extension for PHP looking for a way to get the SASL_EXTERNAL method and certificate authentication supported.  has anyone else tried this before and i've just missed it or do i need to roll up the sleeves and patch the ldap.c file to support it?

 

thanks,

 

wyatt

[wyatt]

after considering this some more; i've come to the realization that it cannot be done securely.  the primary premise of having certificate based authentication is that you present your public certificate to the server and it returns data that you can decrypt using your private key; however, asking a user to provide their private key to you so that you can create a secure connection to an LDAP server completely violates the basic principle that no one else has your private key; however, there is a way to do this using machine based certificates found here:http://www.washington.edu/computing/eds/php-ldap-sasl.html

 

basically, they are forcing environmental variable to exist for apache and then by specifying the use of EXTERNAL, the ldap API knows to request the information from the environment.

 

I've also attached their example file in case the site goes away (however, extremely doubtful)

 

[attachment deleted by admin]

[wyatt]

By the way.  This code causes glibc corrupted double-linked list errors in PHP 5.2.2 with OpenLDAP 2.3 due to an invalid reference being retrieved; however, PHP.net doesn't seem to feel this is there bug to deal with.