[ale] Strategy for using ldapsearch and security

Neal Rhodes neal at mnopltd.com
Wed Jul 15 11:19:14 EDT 2015 

So, I'm trying to implement a login running inside Webspeed inside
Apache inside linux.   There are good reasons to do this inside this
application program and not just let Apache do it. 

So, what I get from user is network-user-id (let's call him "bob")  and
password.   

What I need to know is:

        Does this userid exist (samaccountname=%s), is the password
        provided correct?
        if above is good, is this user memberof a specific group?
        

What I've got working as proof-of-concept is: 

        A. Do a simple bind to LDAP with an admin/service account as a
        DN, and search for this user-id (samaccountname=bob), and get
        back the DN for user "bob".  Using $OpenLDAP: ldapsearch 2.4.39
        
        B. Then do ANOTHER simple bind to LDAP using "bob"s as DN, and
        "bob"s password, and return the memberof attribute.   That fails
        if I don't give it the correct password. 
        

I don't claim to know LDAP; but isn't this convoluted?  Is there a way
to do this in one shot with the ldapsearch command?  I can do it this
way, but it seems clunky. 


The other topic is security:  I was intending to invoke the ldapsearch
from inside the Apache/Webspeed/Progress/ABL application as a
"input-output through", meaning we run this and read/write its
STDIn/StdOut.    Best practices would indicate we'd want to hide the
passwords.    We don't want someone doing a 'top' command seeing
passwords.  Unfortunately, this does not seem readily possible.    

        The openldap ldapsearch has a -W option to prompt for passwd,
        but that appears to not read StdIn, but rather /dev/tty.   So I
        cannot feed it passwords that way. 



        There is a "-f" option, which offers a - flavor to read StdIn,
        but I don't see any examples of what the input to -f looks like,
        eg: can I specify password there. 
        
        There is a -y option to specify a file which contains the
        password.   ok, I could write the file, put it somewhere not
        readable by anybody but Apache, run ldapsearch, and then delete
        the file.    Still, that doesn't smell like best practices to
        me. 
        

So, it seems like either I'm missing something or the use of ldapsearch
for password validation opens up holes and less than best practices.
Yes, I could dork around with calling shared libraries, and then fight
that portability battle between linux and Solaris.   Why is it so hard? 

Neal Rhodes
MNOP Ltd. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150715/a56c6c60/attachment.html>

More information about the Ale mailing list