We're currently working on an external LDAP authentication for the owncloud sync app and webdav. While I'm able to authenticate with LDAP, I am unsure of how to login to owncloud without knowing the users owncloud password. I've been looking through the source code, but I can't find where login occurs in the LDAP module. We don't want to use the LDAP module that is included in owncloud.
Basically, I want to know if there is a way to retrieve an unencrypted password from the owncloud DB? If the encrypted password in the DB would work for logins? or if there is a way to login a user after LDAP authentication with only a username?
Thanks in advance for the help.
Basically, I want to know if there is a way to retrieve an unencrypted password from the owncloud DB? If the encrypted password in the DB would work for logins?
LDAP user passwords are not stored at all.
I've been looking through the source code, but I can't find where login occurs in the LDAP module.
In ownCloud, the login credentials are passed to the checkPassword method of the registered user backend, which replies with false (not granted) or the username (= granted).
Related
Our company has a mobile app. Until now we used LDAP authentication using PHP code to login on the app using the company's Active Directory user and password.
Now they tell me we have to stop using LDAP because there has been some security breach.
My question is, is there an equivalent of ldap_bind for Azure AD?
I've been looking for information and the answers I found are too complicated and elaborated.
Would be better to use a Native Azure App to link to our mobile App or is the PHP aproach better?
I don't need to get the Azure AD token and be able to do some operations or anything. I just want to check if user & password are correct and that's it.
Any guidance would be apreciated.
You will need to redirect the user to authenticate e.g. by using the OpenId Connect protocol.
LDAP is not supported in AAD.
The user may have e.g. Multi-Factor Authentication enabled and thus there is no way to surely authenticate programmatically.
So the right way is to register a Native app, and authenticate from your mobile app using ADAL or MSAL.
I'm trying to authenticate a username and password with a CAS server using phpCAS but didn't find anything relevant on the internet. Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS? Also, how do I redirect user to a different .php page? I saw that we can use phpCAS:foreAuthentication() to authenticate users, but I'm trying to understand how a user is authenticated using this. Thanks!
Once the user inputs their username and password how do I authenticate it with a CAS server using phpCAS?
You do not. The CAS server authenticates the credentials, not the phpCAS library.
Also, how do I redirect user to a different .php page?
Redirects are controlled by the initial service parameter that CAS would use, after issuing a ticket. Once you are at that location, you can redirect to anywhere you like.
I'm trying to understand how a user is authenticated using this.
The authentication strategies are defined inside the CAS server, which takes the credentials provided and verify them against relevant account sources. You, as the client, do not need to bother with how that happens; just that it happens and that you are provided a ticket and that you need to validate it; a task that the CAS client library does for you.
I have this web application with LDAP backend, to read and modify some LDAP attributes.
Web application use the SSO (Single Sign-on) to authenticate user.
How can I bind to LDAP, if I only get a user name as an attribute from SSO, withouth asking for password again, because it will make SSO useless?
I use SimpleSAMLphp as identity provider, and python driven web application for LDAP management.
Rather than using the user's credentials to bind to LDAP, get an application account at LDAP that has read permissions for the attributes you need on the users within the directory. Then, when you get the username via SSO, you just query LDAP using your application's ID.
Make sure you make your application ID's password super strong - 64 chars with a yearly change should be good. Better yet, do certificate-based authn.
I am trying to authenticate users against Active Directory with PHP for access to a web page.
ldap_bind works fine for users who are setup with "Logon Workstations" set to "All computers" in Active Directory but not for users who are setup with their computer name in "The following computers" option which only allows them to log on to their own pc.
Is there a way to just authenticate if the users username/password combination are correct and not have it check the computers they can log on to?
If I understand your question correctly, you are trying to allow for manual authentication for users who are not automatically logged in.
I have something similar to this setup on my company's intranet, where if a user is not automatically authenticated they are presented with a login form that submits to a controller that uses the adLDAP library to pass the username and password to the LDAP server for authentication.
So, I'm working with a really old system which uses a person's mysql database credentials to authenticate to a web site (the database was originally only accessed from the command line, but is now accessed from a php frontend). Because of some internal reasons (and to preserve the user's history), I have to leave the old authentication intact. I've been charged with adding openid authentication to this system. Somehow I need to be able to retrieve a users mysql username and password upon logging into the site through openid (using the Zend framework, by the way). I've thought of simply requiring registration at the first login, where the user must provide their mysql credentials, but I'd rather not store the password plain text.
I've also considered blanking everyone's mysql passwords, and just setting the user's mysql username manually (rather than having the user provide this, since they could provide any username).
This is turning into a security nightmare. Does anyone have any suggestions for alternatives?
This is running on a Linux server, by the way. Also, I can't use mysql pluggable authentication because the mysql version is 5.0 (pluggable authentication requires mysql 5.5), and no, I can't update it.
MySQL passwords are hashed, so you will not be able to extract the plaintext password from MySQL. I guess that leaves you with two options, both of which you considered in your question:
The first time the user logs in with OpenID, replace the user's password in MySQL with a new password that is known to your application. Your application uses that password to log into the account of any user who is using OpenID.
Con: A user who uses OpenID cannot go back to using direct MySQL authentication because they don't know their own password anymore. Not even using MySQL command line tools. That implies that users, having once used OpenID, must use OpenID forevermore.
When the user registers to use OpenID, your application momorizes their password.
Con: Your application keeps a list of plaintext passwords
Con: Your application breaks when the user changes their MySQL password by themselves.
Third option:
For each user who uses OpenID, create a second MySQL user for them, which has a generic password. Copy all of the permissions assigned to the normal account to this "shadow" account.
Con: the normal user and shadow user must be kept in sync, so that if some MySQL permissions are added or revoked from one, they should also be added or revoked from the other one at the same time. Forgetting do to this will result in a mess.
Given that you can't sensibly perform openid authentication for the CLI client (even with PAM), I would stringly recommend you do not try to reconcile the openid users with the mysql users - just add a generic user that anyone authenticated via openid can use to connect to the database.