Re: How do I bind to LDAP with a username/password

laredotornado wrote:

On Mar 11, 4:18 am, Nigel Wade <n...@xxxxxxxxxxxx> wrote:
laredotornadowrote:
Hi,

I'm using Java 1.5.  Does anyone know how I can bind to an LDAP server
with a username and password?  Note that this is different from
authenticating against an LDAP server with a username and password.

Authentication against LDAP normally works by attempting to bind with the
supplied credentials. Failure to bind indicates a failure to authenticate.

The only other way to do it would be to bind with some master credentials
which
had full read access (including passwords), perform a search for the
SECURITY_PRINCIPAL, fetch the encrypted password for that DN and compare it
to
the SECURITY_CREDENTIALS (after suitable encryption of said
SECURITY_CREDENTIALS).

That I can set up like so ...

      Hashtable env = new Hashtable(5, 0.75f);
      ...
      env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
      env.put(Context.SECURITY_CREDENTIALS, pass);
      ...
      InitialLdapContext context = null;
      context = new InitialLdapContext(env, null);

I was looking at ways of writing the LDAP connect string (http://
www.rlmueller.net/LDAP_Binding.htm), and there seems to be a place for
the bind username ("cn") but I can't see where the password would go.

and this does the former method, i.e. binding as SECURITY_PRINCIPAL to test
authentication.



Any help is appreciated, - Dave

I think you've already helped yourself, you just don't realize it...

What operation are you wanting to perform on the directory after you've bound
to
it?

P.S. Beware the very confusing terminology in JNDI where "bind" means "add",
rather than in LDAP where it means "connect". When you "bind" with JNDI you
are
adding an entry into the directory.

--
Nigel Wade

I'm so new to this I'm still not seeing the answer in your reply.
Often you connect anonymously to LDAP and then run a query passing in
different username/passwords to see if they authenticate.

I've never come across that method, and I don't see how it could work.

You can bind anonymously and run queries on the contents/attributes of entries
in the directory, but you will have limited success depending on the security
in the directory server, and what attributes are visible to anonymous binds.
You can attempt to bind with some given credentials, and you will either
succeed or fail depending on whether the credentials are valid. You can bind
with the master credentials and then run a query which ought to succeed.

In this
case I want to connect with master credentials and then run queries
authenticating others using the

env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
env.put(Context.SECURITY_CREDENTIALS, pass);

syntax.

It's not at all clear to me what you are wanting to achieve. If you want to know
if some credentials will authenticate you attempt to bind with those
credentials. There is no query that I know of which you can run to test
authentication. AFAIK that just isn't part of the LDAP protocol.

But how do I connect as the master credentials?

You supply the DN of that entry, and the password. To test the authenticity of
other credentials you do exactly the same. The only reason you might want to
bind first with some other credentials is because you only have the uid, or
some other part of the identity, rather than the DN. So you'd bind with
credentials which had search access to the attributes you need, and with read
access to the DN.

For example if the user entry you want has a uid field
containing "name@xxxxxxxxxxx" you would perform a search for a uid with that
value. If the search was successful you could extract the DN from the result
and use that to bind. If the search fails you know that user entry is not in
the directory.

IOW, what
code or other URL syntax should I be using before I can perform the
query operation above?

Thanks for your help, - Dave



--
Nigel Wade
.

Relevant Pages

  • Re: Active Directory Authentication in IIS 6
    ... I just installed ldp.exe and have no problems using the same credentials ... used in the code to connect and bind. ... settings in IIS, but I am not sure where to look. ... and Integrated Windows Authentication is checked. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: check a user password
    ... ADAM user you'll have perform an LDAP Bind operation, ... However, as I said in another thread, LDAP is not an *authentication* protocol nor is "LDAP server" an authentication service. ... The LDAP bind operation is meant to "validate" the LDAP clients credentials in order, for the server, to be able to perform directory "authorization" checks. ... between a SQL client and a SQL server, or an authenticated session between a "Windows" client and a "File server" service. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: Application to Application authentication models....
    ... Application to Application authentication models.... ... > obtain sensitive data such as connection credentials to database systems? ... The very first thing I would focus on is ensuring that the credentials your ... including pulling credentials off of a separate LDAP ...
    (SecProg)
  • Re: passwd_compat: ldap?
    ... but doesn't implement doing an actual bind ... operation to perform authentication. ... support a bind for authentication either (or doesn't support returning a ... with PADL's) to perform authentication against LDAP in that environment. ...
    (Fedora)
  • Re: LDAP Authentication from Linux
    ... I'm trying to implement a secure authentication from an apache2 server ... I've configured LDAP in apache, and if I bind using a Domain Admin ...
    (microsoft.public.windows.server.sbs)
Loading