On Thu, 17 Aug 2006 11:54:53 -0500 Ray Hauge <ray.hauge@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > [1] You could proxy the user's username and password to ldap_sasl_bind but > > aside from being a hack it's not SSO and doesn't scale because it requires > > communication with the DC whereas Kerberos does not. And it's insecure > > because you have to cache the users "credentials" in the user's session. > > LDAP can authenticate with Active Directory just fine: > The question is how secure is it. You can set up LDAP to use SSL, so that > would make it more secure. Kerberos is more secure than LDAP, and you > _could_ set it up so that the browser forwards the ticket on to mod_kerb for > authentication, thus not needing a sign-on other than to the domain. From my > experiences that isn't exactly easy to set up though. I didn't say it wouldn't work but people should understand there are numerous problems with using LDAP bind functions as some kind of make-shift authentication serivce. 1) It's insecure. To make it remotely fast enough you would need to store something in the user's session to prevent excessive communication with AD in which case if someone were able to get the user's PHPSESSID, a cookie, or sniff the session id they could gain access to the site (possibly with the user's credentials if those are stored in the session). And whatever you do don't use ldap_bind because those credentials are passed in clear text so a sniffer could collect passwords. At least use ldap_sasl_bind or do a TLS connection. 2) It's slow. Kerberos does not require communication between the web server and AD. With LDAP you would need to communicate with AD at least once for every new session. Otherwise, yeah it would work. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
