I'm working on an authentication integration with PHP 7 to authenticate to an ActiveDirectory server, for that I use basic PHP functions like ldap_connect.
However, this mode doesn't seem very secure to me, as it requires that at some point I have the user's credentials in plain text to be able to use the connection.
Is there a more secure way to perform this authentication?
For example, send just one request directly to the client's server and there it makes this connection to the OpenLDAP/AD server?
Related
Our company has a mobile app. Until now we used LDAP authentication using PHP code to login on the app using the company's Active Directory user and password.
Now they tell me we have to stop using LDAP because there has been some security breach.
My question is, is there an equivalent of ldap_bind for Azure AD?
I've been looking for information and the answers I found are too complicated and elaborated.
Would be better to use a Native Azure App to link to our mobile App or is the PHP aproach better?
I don't need to get the Azure AD token and be able to do some operations or anything. I just want to check if user & password are correct and that's it.
Any guidance would be apreciated.
You will need to redirect the user to authenticate e.g. by using the OpenId Connect protocol.
LDAP is not supported in AAD.
The user may have e.g. Multi-Factor Authentication enabled and thus there is no way to surely authenticate programmatically.
So the right way is to register a Native app, and authenticate from your mobile app using ADAL or MSAL.
I have web services made in PHP which gives response in JSON. I have used these services in one of my iOS app.
But when I use web debugging tool like fiddler it shows all the data passing to my web services. Either I used GET or POST method.
How to secure the communication between server and the client application? Also which kind of encryption should be used to secure the data and where it should be used like either on server side or client side?
I have seen some methods like ssl/https connectivity to secure data. But I don't know how to implement that in iOS?
To Secure web service data you many people follow below authentication procedures
Basic Authentication, Authentication with NSURLConnection sendAsynchronousRequest with completion handler
OAuth 2.0,
https://github.com/nxtbgthng/OAuth2Client
SSL and TLS Authentication procedures
http://www.techrepublic.com/blog/software-engineer/use-https-certificate-handling-to-protect-your-ios-app/
Before you implement in iOS ,your backend developer (in your case PHP Developer) need to implement in the backend side and provide necessary information to you
If you use https all data is encrypted except the URL address. Some diagnostic programs can show the unencrypted communication by setting up a proxy on the device, this and MITM attacks can be averted by pinning the certificate if you are connecting to a known https server.
I'm in need of using NTLM authentication in my web application against an IMAP mail server. Authentication in the web app itself is NTLM too. Thus, the user opens the web app interface and the web server end grabs the inbox of that user on the mail server authenticating via NTLM. Is that possible if I never store (neither I have access to) the user's password?
Is there any way to link the client's browser and the IMAP server via my web app so that token exchange would occur between them and I would just act as a gateway between them. Or, is there any other method to accomplish this task without knowing the password?
The web app can be asp.net/iis or php/apache. Either option will work for me.
Looks like I had a bad day yesterday, otherwise have no idea why I couldn't figure it out that time as it's so simple!
If Windows authentication is enabled, the web app already gets the context of that interactive user who accessed the app. I can then authenticate against NTLM-enabled IMAP server via Integrated Windows Authentication just the same way I would in a desktop application.
I.e. they key point is that there is no need in the web app to somehow pass NTLM token from the browser to the IMAP server. It's just a two stages process:
- first, the browser (running under interactive user) creates NTLM token via winapi functions and sends it to the web app so that finally the app acquires that interactive user context
- then, the web app running under the interactive user context creates a new token via the same winapi functions and sends it to the IMAP server.
I am new to the whole encryption world, and I wish to build a Mac application which interacts with a PHP application in order to access and manipulate data remotely.
My problem is that I can't just transfer plain data over the internet, as most of the data being transfered can be very private, as well as username and password are passed for authentication of the user.
I would like to know what kind of encryption/decryption methods I need to use in order the data will be transfered safely over the internet.
Shillo.
The easiest thing to use is SSL with HTTPS. This is well supported by just about any system and HTTP library. No additional encryption is typically necessary.
To do this, you simply need to purchase an SSL certificate and install it on your web server. You can generate one on your own for free, but a certificate authenticated by a 3rd party is often preferred.
We have a web-application, hosted externally. One client now asks for a SSO (single sign on) solution and suggested a LDAP link with our web-application.
Our website uses PHP. We prefer not to use something like VPN, but we have no experience at all with this stuff. Is it possible to use Windows authentication and somehow automatically login into our web application?
Any suggestions?
This can be done using NTLM authentication, but tying that to Windows credentials, is Internet Explorer spesific behaviour, and NTLM isn't that well supported in all browsers. I would reccomend you rather have an ldap authentication over ssl to your AD, and have a regular basic auth box pop up instead.
You then use PHP to bind with LDAP using the credentials supplied to determine if they're valid or not.