View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0032706||mantisbt||ldap||public||2023-06-07 09:01||2023-07-03 14:48|
|Platform||httpd/2.4.53, php/8.0.27||OS||RedHat Enterprise Linux||OS Version||9.2|
|Summary||0032706: Unable to use user's own username/password for ldap_bind operations|
It appears as though the only two options for ldap_bind operations is to use anonymous bind, or a hard coded binddn/bindpw in config/config_inc.php. I would propose a config file option (something like a Boolean $g_ldap_bind_by_user?) that would, when set to ON/TRUE/1 use the user's supplied username and password for all ldap_bind operations.
|Steps To Reproduce|
Using an LDAP server that doesn't allow anonymous bind, while also not configuring a hard coded binddn/bindpw.
|Tags||No tags attached.|
The request makes sense, but I'm not sure it's feasible considering that LDAP requests do not only occur for authentication (i.e. at login time), but also whenever user information needs to be retrieved from the directory (e.g. email or realname, see ldap_cache_user_data() ).
So, I'm not sure how this could be implemented in a secure manner, as we would somehow need to store the user's password so it can be reused to bind whenever an LDAP query needs to be made...
Unless you have a better idea or suggestions ?
Agreed - I was pondering that too, as I was looking at the code, wondering how you'd get around passing passwords around to every and all functions, and caching it somewhere seems risky as well (as it'd need to be in a reversible "hash" or in clear text). This may not have a good (as in secure) solution. :/
Based on my analysis and your feedback, I'm resolving this as "not fixable".
Feel free to reopen if you come up with an idea that could meet the requirement in a secure manner.
Fair enough - thank you for the consideration!