[pmwiki-users] encrypted $AuthLDAPBindPassword
Patrick R. Michaud
pmichaud at pobox.com
Mon Jun 5 13:36:26 CDT 2006
On Mon, Jun 05, 2006 at 07:19:57PM +0200, Clemens Gruber wrote:
> Hi,
>
> in config.php it is possible to use encrypted passwords like
> $DefaultPasswords['admin'] = '$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1';
>
> I've got a farmconfig.php for using PmWiki as single field / Wiki on
> several virtual servers on our university and due to Apache rights all
> users who can set up a field must have read rights to farmconfig.php.
> Now I'd like to use LDAP authentification and I've got to write
> $AuthLDAPBindPassword as clear text in famconfig.php, thats no goot
> idea. ;-) Is it possible to use somthing like
>
> $AuthLDAPBindPassword = '$1$hMMhCdfT$mZSCh.BJOidMRn4SOUUSi1'; and
> $AuthLDAPBindPassword = crypt('clear text');
Alas, no. The PHP ldap_bind call that is used to authenticate
requests to the LDAP server requires that the password be in
cleartext. I haven't seen anything in the LDAP protocol that allows
the password to be encoded in other than cleartext. (TLS/SSL can be
used to encrypt the password as it goes across the network, but at the
level of the ldap_bind(3) function, the password is expected to
be available in cleartext.)
So, that means that the password has to be either in cleartext, or
else there has to be a way of storing an encrypted form of the password
such that the cleartext value can be recovered for use in ldap_bind().
But no matter what process we might use to decrypt an encrypted
form of the password, anyone that can view local/config.php and execute
a script on the webserver can duplicate that process, thus encrypting
won't provide any more real security than currently exists with the
cleartext.
Pm
More information about the pmwiki-users
mailing list