Username and Password for LDAP Authentication

0
votes

A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.

However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.

Thank you.

1
authenticationldapsingle-sign-on

1 Answers

3
votes

It's done in three steps:

  1. Bind as an administrative user that has enough permission to search the directory.
  2. Search the directory for the user. This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc.
  3. Bind as that user using the password credential supplied.

If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.