Reputation: 283
how to authenticate a user in Ldap using password
package com.ecom.data.access.controller;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opends.server.admin.client.ldap.LDAPConnection;
import org.opends.server.types.ResultCode;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.NamingException;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.Controller;
import com.unboundid.ldap.sdk.BindRequest;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.SimpleBindRequest;
public class LoginController implements Controller
{
public static String usersContainer = "dc=example,dc=com";
public ModelAndView handleRequest(HttpServletRequest request,HttpServletResponse response) throws Exception
{
String givenName1=request.getParameter("name");
String userpassword1=request.getParameter("password");
System.out.println("Ldap wellcome");
final SimpleBindRequest bindRequest=new SimpleBindRequest(givenName1, userpassword1);
System.out.println("before");
System.out.println(bindRequest);
Hashtable<String, Object> env = new Hashtable<String, Object>(11);// Here we set some connection Hashtable for JNDI
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389");
env.put( Context.SECURITY_PRINCIPAL, "cn=Directory Manager" );
env.put( Context.SECURITY_CREDENTIALS, "admin" );
DirContext ctx = null;
NamingEnumeration<?> results = null;
try {
ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String lookup="givenName="+givenName1+",dc=example,dc=com";
String obj = "(objectclass=*)";
results=ctx.search(lookup, obj, controls);
while (results.hasMore())
{
SearchResult searchResult = (SearchResult) results.next();
Attributes attributes = searchResult.getAttributes();
Attribute attruser = attributes.get("givenName");
Attribute attrpwd=attributes.get("uid");
Attribute org=attributes.get("o");
String cn = (String)attruser.get();
String cn1 = (String)attrpwd.get();
String cn2 = (String)org.get();
List<String> li = new ArrayList<String>();
li.add(cn);
li.add(cn1);
li.add(cn2);
if(givenName1.equals(cn) && userpassword1.equals(cn1))
{
ModelAndView modelSuccess=new ModelAndView("loginPage");
modelSuccess.addObject("msgSuccess", li);
return modelSuccess;
}
else
{
ModelAndView modelError=new ModelAndView("errorPage");
modelError.addObject("msgError", "Invalid UserName and Password");
return modelError;
}
}
} catch (Throwable e)
{
} finally
{
if (results != null)
{
try
{
results.close();
} catch (Exception e)
{
}
}
if (ctx != null) {
try {
ctx.close();
} catch (Exception e) {
}
}
}
return null;
}
}
I am using Spring 3. I am working on LDAP. I need to do a user is authenticate if his user name and password is correct. I have many fields in my OpenDs. If I am using given name and first name then it will authenticate, but if I use password then it's not authenticated because the password stored in openDs is encrypted form. So I need to match the password. Please give me some suggestion for this. I am using the code as above.
Upvotes: 0
Views: 1318
Answers (1)
Reputation: 11134
The password should be stored as a cryptographic digest called a "hash", often in the userPassword or authPassword attribute. The LDAP client authenticates by changing the authorization state of the session using a BIND request. A SimpleBindRequest has the distinguished name (primary key) of the account which is to be used as the authorization state of the session and the password in clear-text.
The SimpleBindRequest should be transmitted to the server via a secure connection (either SSL or a non-secure connection promoted using the StartTLS extended request). Other methods (such as DIGEST-MD5 or CRAM-MD5 are unsafe or less secure because the server must be able to decrypt a password, therefore the password must be stored in a reversible encryption. Other safe methods include GSSAPI or the EXTERNAL SASL mechanism, but the SimpleBindRequest over a secure connection is the simplest.
The LDAP directory server verifies the presented password and if the verification is successful, changes the authorization state of the session and then returns a BIND response to the client. The BIND response contains a result code - if that result code is zero (0), then the authentication (and the BIND operation) were successful.
LDAP client should not present pre-encoded passwords to LDAP servers because this prevents the management of password history and other aspects of password quality management.
Upvotes: 1
Related Questions
- LDAP + Spring: how to correctly authenticate?
- LDAP authentication with Spring Security
- How to authenticate user using Spring Ldap Authentication with spring mvc
- How to use Spring Ldap Authentication
- Authentication in Java using Spring LDAP
- Authenticate user in LDAP server
- Spring security authentication using LDAP
- How to Authenticate a user from a LDAP directory with his username and password?
- LDAP Authentication with Spring Security 3
- LDAP Authentication