how to use LDAP_BIND in php using NTLM2?

Asked

Viewed 186 times

0

I’m using ldap with NTLM to make SSO "LOGON UNICO" but I’m having a hard time, LDAP_BIND does not accept the hashed password I receive from the browser,

my class working with NTLM has the following variables:

$auth = getAuth(); //RETORNA O NTLM TRABALHADO

        //$auth['user'] = $user;
        //$auth['domain'] = $domain;
        //$auth['workstation'] = $workstation;
        //$auth['clientblob'] = $clientblob;
        //$auth['clientblobhash'] = $clientblobhash;

          $con = ldap_connect('meudominio.com');
          ldap_set_option($con, LDAP_OPT_PROTOCOL_VERSION, 3);
          ldap_set_option($con, LDAP_OPT_REFERRALS, 0);
          ldap_bind($con, 'dominio\user', $auth['clientblob']);

ERROR> Warning: ldap_bind() [Function.ldap-bind]: Unable to bind to server: Invalid credentials in... Note: LDAP_BIND works only if I use the password string;

  • The password you pass to the ldap_bind has to be in Plain text. At least all the places I implemented this type of authentication, I had to do in Plain text.

  • The password that NTLM sends is not plain text... The ntlm that encrypts the password ? or it sends the already encrypted password ? I have this question also. If it is encrypted by NTLM2 how to decrypt ? .

1 answer

1

Answering your question in the comments, which is simpler: NTML is not an encryption protocol, and without a Challenge-Sponse-based authentication protocol that makes use of hash functions to "hide" the password and then traffic it.

Unable to use LDAP+NTLM in PHP directly via mod_ldap, because it was designed to strictly adhere to the LDAP protocol. Using NTLM over LDAP, as Microsoft does, is an extension to the traditional functionality of LDAP. Of course it can be implemented, but it is necessary to reverse engineer the parameters used by Microsoft, since these are not documented.

The Microsoft API responsible for doing this on Windows, is the ldap_bind_s [1].

One option that doesn’t involve all this effort, is to use the mod_auth_ntlm_winbind, that implements this type of authentication. Maybe using Kerberos mod_auth_kerb also possible, but not sure. But, if you just want to get the username logged in to the machine by accessing your site, this link will probably solve your problem.

In any case, I recommend that you do not "trust" the user/domain sent to you by the browser: it is not at all difficult to forge this information, especially if the system is accessed from outside your intranet. For this, I recommend that you use LDAP + SSL (or TLS), which despite requiring user and password, traffic the encrypted information and is easy to implement (mod_ldap already implemented). And don’t forget to use HTTPS on your authentication page!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.