When a client connects to an LDAP directory server, the connection authorization state is set to anonymous
. LDAP clients use the BIND request to change the authorization state of a connection. Each BIND request changes the connection authorization state to anonymous
, and each successful BIND request changes the authorization state of the connection to the authorization state associated with the successful BIND request, that is, that of the user. Failed BIND requests leave the connection in an anonymous
state.
The client constructs a BindRequest
(either simple BIND request or a form of a SASL bind request) transmits to the LDAP directory server and interprets the response from the server, including any response controls that might accompany the BIND response. A result code of zero in the BIND response indicates that the LDAP directory server matched the credentials and the user is authenticated.
If the distinguished name of the user is known, then a BIND request can be constructed from the distinguished name. If not known, the LDAP client must construct a search request, transmit it the server and interpret the response. The distinguished name is always included in a successful search response that returns at least one entry. Then use the distinguished returned in the search response to construct the BIND request as above.
In the simplest case:
// exception handling is not shown
final String dn = ....;
final byte[] password = ....;
final BindRequest bindRequest = new SimpleBindRequest(dn,password);
final LDAPConnection ldapConnection = new LDAPConnection(hostname,port);
final BindResult bindResult = ldapConnection.bind(bindRequest);
final ResultCode resultCode = bindResult.getResultCode();
if(resultCode.equals(ResultCode.SUCCESS))
{
// user is authenticated
}
ldapConnection.close();
If you are using Java, you should use the UnboundID LDAP SDK (JNDI should not be used for new code).
see also