What I am trying to do is set up a login screen. I collect the user's credentials and verify it using an ldap server before allowing the user to take a quiz.
<?php
session_start();
$user = $_POST['user'];
$domain = 'DOMAIN';
$password = $_POST['password'];
$ldapserver="ldap.example.server";
$ldapport=389;
$ldap = ldap_connect($ldapserver,$ldapport);
if ($bind = #ldap_bind($ldap,"{$user}#{$domain}", $password)){
$_SESSION["user"] = '$user';
header('Location: quiz.php');
}
else {
header('Location: login.html');
}
?>
When I use wireshark to sniff the packets, i can see the username and password clearly. Is there a way to bind to an LDAP server without sending the password in plain text? The site doesnt have https. The owner does not want to buy a SSL certificate, nor is he interest in a self-signed one.
Does your ldap server support ldaps and have a certificate? That would be the easiest way to do this and your site wouldn't need a certificate. You'd just change your code slightly. Assuming your server uses the default ldaps port:
$ldapserver = 'ldaps://ldap.example.server';
$ldapport = 636;
Related
I have a local Minecraft Server set up. I decided to get myself my own domain, because ips arent really pretty. The problem is, that because the ip address of my router changes every night, I can't just do a A-record to my ip address. Instead I need a dynamic dns provider which allows me the use of my own domain. I could not seem to find one, so I coded it by myself with php (I have a free web server with a static ip address). Here's the code of the .php-file:
<?
$usernameTest = $_GET["username"];
$passTest = $_GET["pass"];
$ipaddr = $_GET["ipaddr"];
$username = "USERNAME";
$pass = "*****";
$port = ":25565";
$serverIPtxt = "serverIP.txt";
if(file_exists($serverIPtxt)) {
if($usernameTest == $username) {
if($passTest == $pass) {
$a = fopen("$serverIPtxt", "w");
fwrite($a, $ipaddr);
fclose($a);
echo $ipaddr;
}
} else {
$a = fopen("$serverIPtxt", "r+");
$dynIP = fread($a, filesize($serverIPtxt));
fclose($a);
$url="http://".$dynIP."".$port;
header("Location: $url", true);
die();
}
}
?>
My router is automaticly applying the correct ip address, so in theory I should be able to connect to the minecraft server with my new domain, but I cant. Instead Minecraft gives me this error:
[13:52:38] [Client thread/INFO]: Connecting to DOMAIN, 25565
[13:52:39] [Server Connector #5/ERROR]: Couldn't connect to server
java.net.ConnectException: Connection refused: no further information: DOMAIN/IPADDRESS:25565
at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method) ~[?:1.8.0_25]
at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:716) ~[?:1.8.0_25]
at io.netty.channel.socket.nio.NioSocketChannel.doFinishConnect(NioSocketChannel.java:208) ~[NioSocketChannel.class:4.0.23.Final]
at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:287) ~[AbstractNioChannel$AbstractNioUnsafe.class:4.0.23.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:528) ~[NioEventLoop.class:4.0.23.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) ~[NioEventLoop.class:4.0.23.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) ~[NioEventLoop.class:4.0.23.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) ~[NioEventLoop.class:4.0.23.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[SingleThreadEventExecutor$2.class:4.0.23.Final]
at java.lang.Thread.run(Thread.java:745) ~[?:1.8.0_25]
What am I doing wrong? Or does Minecraft just not support php redirects?
Minecraft does not use HTTP! It uses its own protocol based on TCP.
The best option, which I have used in the past, is to run a dynamic ip updater client.
Get yourself a No-IP domain name (e.g. myname.ddns.net)
Download the dynamic updater client (available for Windows, Mac or Linux)
Set your custom domain name as a CNAME to point to myname.ddns.net (your NoIP domain name)
Give players your custom domain name (e.g. myname.com). This will refer the client to myname.ddns.net through the CNAME record which will in turn refer to your dynamic IP (e.g. xxx.xxx.xxx.xxx) as an A record.
After this you will be able to connect to your server with your custom domain and the dynamic updater will keep the dynamic IP up to date automatically.
I am trying to use cPanel xml api to add ip addresses to the mysql remote access host list.
If I use this...
$newdomain = "12.345.45.678";
$myemails = $xmlapi->api2_query($account, "MysqlFE", "authorizehost", array('host'=>$newdomain) );
I can in fact add the ip to the remote host access list. I verified by logging into cPanel and checking.
When I try to access the database remotely, I am blocked. ???? like I have not whitelisted my ip ??
If I log into cPanel and remove the ip address and add it manually(the exact same ip)...then test my remote connection, and it works.
Am I missing something here?
The xmlapi adds the ip successfully, but I still can't get a remote connection.
If it helps at all, my whitelist already has some ip addresses that were added manually. So, it is not an empty record.
<?php
require_once("xmlapi.php");
$ip = 'website ip address here';
$account = 'cpanel username here';
$domain = 'mysite.com';
$passwd = 'cpanel password here';
$xmlapi = new xmlapi($ip);
$xmlapi->password_auth($account, $passwd);
$xmlapi->set_port(2083);
$xmlapi->set_output("simplexml");
$newAuthIP = "123.45.67.890"; <----- sanitized value from a form post
$myemails = $xmlapi->api2_query($account, "MysqlFE", "authorizehost", array('host'=>$newAuthIP) );
?>
I'm getting a strange behavior on my LDAP Authentication, I need this to authenticate users with their AD credentials, this is what I have:
session_start();
$adServer = "MY IP";
$ldapconn = ldap_connect($adServer) or $this->msg = "Could not connect to LDAP server.";
$ldaprdn = "DOMAIN\\" . $_POST["username"];
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
if ($ldapbind) {
//$msg = "Successfully Authenticated";
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $username;
header("Location: ../main.php");
} else {
header("Location: ../index.php?login_failed=1");
}
This is the different behaviors I get:
No username / No Password = authenticated (BAD)
Username / No Password = authenticated (BAD)
Incorrect Username/Password (both fields were given) = not authenticated
Correct Username/Password (both fields were given) = authenticated
I find this hard to muster, all users are being validated if the password field is not being used. But if I do use the password field it only authenticates users with the correct credentials..
Am I doing something wrong here or should I start nagging the IT people?
After doing some research, I reached a conclusion that the LDAP server we are using allows anonymous binds.
More info here:
https://issues.jfrog.org/jira/browse/RTFACT-3378
WARNING: An attempt to bind with a blank password always succeeds
because the LDAP protocol considers this to be an "anonymous" bind,
even though a username is specified. Always check for a blank password
before binding.
In order to go around this, I now check the password input field in PHP:
if (strlen(trim($user_pass)) == 0) {
//login failed
} else {
$ldaprdn = "DOMAIN\\" . $_POST["username"];
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
}
An empty password input (or whitespaces) will always return a login fail.
Using the 'simple' BIND authentication method, there are four possibilities:
null DN, null password (anonymous): no authentication takes place, therefore this session and authorization state are not safe
DN, null password (unauthenticated): no authentication takes place, therefore this session and authorization state are not safe
DN and password: authentication takes place and either succeeds or fails
null DN, password: no authentication takes place, therefore this session and authorization state are not safe
The 3d is the only one in which authentication takes place. Properly configured LDAP directory servers will reject the other 3 possibilities because, contrary to what the question states, authentication does not take place. A method of an API not throwing an exception or returning true does not indicate whether authentication took place. The BIND result contains an integer result code which indicates that authentication was successful or not.
see also
LDAP: authentication best practices
LDAP: programming practices
Before you nag the IT people, check if the value passed in the line
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $_POST["password"]);
Is correct, you have probably checked this already, but do a
var_dump($ldaprdn);
var_dump($_POST["password"]);
and see if the data is accurate.
Manually put the data like
$ldapbind = ldap_bind($ldapconn, "username", "password");
Also check if you have to give the entire DN, such as CN=Username,DC=xxx,DC=com for the username.
Also sometimes you have to give the name such as "User Name", rather than "user.name" because this is how it might be stored.
If all this fails, you can go eat the head of the IT people :-P
I'm building an authentication script from PHP to LDAP. My problem is that I don't really know how to check for the user if the user isn't my admin.
I don't really understand ldap_bind - here I can only login as my admin user, but then I can search for other users in my ou, but I don't know how to check their password.
What I have so far:
function login($up, $pw){
$ldap = ldap_connect("dejan.local") or die("Could not connect to LDAP server.");
if ($ldap){
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
//if I try $up and $pw here, I get an error
if ($bind = ldap_bind($ldap, "Admin", "Somepassword")){
$sr = ldap_search($ldap, "ou=testunit,DC=dejan,DC=local", "samaccountname=$up");
$info = ldap_get_entries($ldap, $sr);
//so here I've gotten information from the user $up
//but I would like to check if his password matches and then get his information
}
}
}
I've looked at some sort of auth scripts from others and they check the information through ldap_bind, but I can only connect with my admin user.
I believe the only change you need to make is:
if ($bind = ldap_bind($ldap, "$up#dejan.local", $pw)){
Which will make the request local to the specific domain. With Active Directory (which is somewhat different, blame Kerberos), you have to provide a context for login.
Is there a way to connect my flex web application to Active Directory, and get the logged username?
Right now we have a PHP script connected to the flex application, that gets user/pass input from the user and checks if there's such user in the AD, and that the password is correct.
I don't want to ask for user/pass, but to make the application get the domain username that connected to it, so I could use it (check if the user has access to my application and such).
Is there a way to do so?
<?php
// using ldap bind
$ldaprdn = 'uname'; // ldap rdn or dn
$ldappass = 'password'; // associated password
// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
or die("Could not connect to LDAP server.");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...";
} else {
echo "LDAP bind failed...";
}
}
?>
When your application is launched, you need to access the LDAP with the windows login credentials.
`AUTH_USER` request variable is the one which you have to check.
This will hold your Windows login username and AUTH_USER will be
MYDOMAINNAME\user.name
The username/password I need for this,
is that admin credentials, or any user
on the system?
You can get the username alone, not the password... when the user logs into his window's machine, we can check his credentials using Environment.username in C# and in PHP we can use AUTH_USER to verify the user logged in is valid.
Plus, do you know where can I find a
list of variables (like auth_user) of
which information can I get?
http://in3.php.net/manual/en/ref.ldap.php
You can get a lot of information from the above link.