Week 40 2014

Week 40 was the week for finishing the functional big part and start to fix bugs. On monday we started to connect the LDAP userdirectory and we worked on the customized GUI. We also resetted the database and worked on different settings on the server.

Tuesday was the big LDAP try. Mr Marfurt spend a couple hours with our team to find a way, LDAP works with our PHP-file. The case was, to connect and bind with the server, and compare the credentials. LDAP is capable to handle ways more than just authentification. We could also manage all the account through php. But this defeats the purpose what our website is about. At the end, we were not very convinced with our result, but we are able to confirm the credentials. So the login works... In week 39 we assumed having a big database error and thought we should reset the server. There was always this Internal Error 500 somewhere in our PHP script. It actually worked on our own private server, but not on the swisscom labs server. After a couple tries and debugging, we figured that an extension on apache2 is missing. With adding a simple extension:curl... in a php.ini -File we could fix that. It took us hours and courage to just try to edit the servers ini-Files.

On wednesday we headed up to Menlo-Park. In a meeting with our project manager and MAK, we made sure that we are not missing the objectives. Most functionalities worked already. Next steps are the documentation, session-handling and security issues. So the afternoon we finished the login, customized gui and some worked on a more secure way to transfer the password. The JS-File reads the password from the browser and sent it clear-text to the php-file. The php-File logged in at the LDAP server then. First we set the LDAP server to accept encyrped passwords, then we had to compare the different methods that JS and PHP have with the actual needed encyrpted password on the LDAP. With support from MAK, we finally could success.

Thats how it works now:

JS reads the password -> method: SHA1 and Base64 encoded (offered by Cryp.js)

PHP gets the b64-sha-Key and asks the LDAP server about the key for the inserted user. Then php compares the two b64-sha1 keys and sends a stateArray (JSON File) to the JS-File.

LDAP provides kind of a resultSet, with which you find all the information about the current user etc...

$res = @ldap_search($ldapconn, $ldapdc, $ldapcn);

$entries = ldap_get_entries($ldapconn, $res);

if($entries[0]['userpassword'][0] == $ldappass){

and here the JS Code to encrypt the password

var sha1 = CryptoJS.enc.Base64.stringify(CryptoJS.SHA1(password));