0
votes

I am new to LDAP API. I am able to connect to a LDAP server and search the user. How would I authenticate a user with username/password using LDAP API? I don't see any authenticate method on DirContext.
To Authenticate a user Do I have to:

  1. Pass user's password as SECURITY_CREDENTIALS
  2. Make the LDAP connection
  3. Search for the given username

Does this mean authentication in LDAP?

2
Is this LDAP server a windows domain controller?Vikdor
Not sure as it is Client's AD. Does it matter?Himanshu Yadav
I doubt if windows AD will be configured for simple authentication based on user/password. It would be mostly configured to talk NTLMv1 or NTLMv2 (since windows 2007) or SPNEGO, in corporate/production environments.Vikdor
Let's say it is configured for authentication.Himanshu Yadav

2 Answers

3
votes

When a client connects to an LDAP directory server, the connection authorization state is set to anonymous. LDAP clients use the BIND request to change the authorization state of a connection. Each BIND request changes the connection authorization state to anonymous, and each successful BIND request changes the authorization state of the connection to the authorization state associated with the successful BIND request, that is, that of the user. Failed BIND requests leave the connection in an anonymous state.

The client constructs a BindRequest (either simple BIND request or a form of a SASL bind request) transmits to the LDAP directory server and interprets the response from the server, including any response controls that might accompany the BIND response. A result code of zero in the BIND response indicates that the LDAP directory server matched the credentials and the user is authenticated.

If the distinguished name of the user is known, then a BIND request can be constructed from the distinguished name. If not known, the LDAP client must construct a search request, transmit it the server and interpret the response. The distinguished name is always included in a successful search response that returns at least one entry. Then use the distinguished returned in the search response to construct the BIND request as above.

In the simplest case:

// exception handling is not shown
final String dn = ....;
final byte[] password = ....;
final BindRequest bindRequest = new SimpleBindRequest(dn,password);
final LDAPConnection ldapConnection = new LDAPConnection(hostname,port);
final BindResult bindResult = ldapConnection.bind(bindRequest);
final ResultCode resultCode = bindResult.getResultCode();
if(resultCode.equals(ResultCode.SUCCESS))
{
    // user is authenticated
}
ldapConnection.close();

If you are using Java, you should use the UnboundID LDAP SDK (JNDI should not be used for new code).

see also

2
votes

You can try JAAS. There is com.sun.security.auth.module.LdapLoginModule in JDK for this purpose. I tried it and it works nice.