This is (more or less) how I do it (note the ob_md5 proc which I
wrote to be able to check FreeBSD's MD5 passwords from LDAP). I
guess if you don't use encryption you can just stuff whatever the
LDAP server gives you for userPassword into the db.
proc_doc -public ldap_auth_user { email password } {
Returns 1 if the password field matches the password stored
in the ldap directory and 0 otherwise.
@param email is the users email address
@param password is the users password
} {
set lh [ns_ldap gethandle ldap]
set result [ns_ldap search $lh -scope subtree "o=Universidad Galileo" "(mail=$email)" userpassword]
# we don't need an ldap handle anymore
ns_ldap releasehandle $lh
set n [llength $result]
if {$n != 1} {
# multiple matches so can't authenticate
return 0
}
set r [lindex $result 0]
array set ra $r
if [empty_string_p [array names ra "userpassword"]] {
# no userpassword attribute so return false
return 0
}
# now it's safe to do this
set crypt_password [lindex $ra(userpassword) 0]
regexp "{(.*)}(.*)" $crypt_password foo cypher ldap_password
if ![string compare $cypher "crypt"] {
if [regexp "$1$(.*)$(.*)" $ldap_password foo salt hash] {
if ![string compare $ldap_password [ob_md5 $password $salt]] {
return 1
} else {
# the passwords don't match
return 0
}
} else {
# if it doesn't look like FreeBSD's MD5 stuff it should
# be standard crypt
# the salt is in the first two letters
if ![string compare $ldap_password [ns_crypt $password [string range $ldap_password 0 1]]] {
# we have a winner
return 1
}
return 0
}
} else {
# unknown cypher (I only support crypt) so log it
ns_log Notice "ldap-api: unknown cypher $cypher"
return 0
}
# this should not be reached
ns_log "ldap-api: end of function reached something funny going on"
return 0
}
