Reputation: 9601
How to check a username/password combination?
Using LDAP is checking a username/password as simple as attempting to bind as that user and noting the results, or is there a special LDAP "check password" function?
I'm trying to get a bit more "behind the scenes" understanding while working on a messy LDAP repository setup issue.
(Note: This is for situations in which the password is not stored as a hash in a custom property; that situation is easy to manage)
Upvotes: 32
Views: 95618
Answers (5)
Reputation: 4100
LDAP supports a compare of userPassword. You send the password, the server does the compare and returns true or false. This is the "not-requiring a login"-way to authenticate users.
Upvotes: 17
Reputation: 1927
ldapsearch -v -h $hostname -p $port
-D 'uid=$UID'
-w '$PWD'
-b 'DC=$companyname,DC=$topleveldomain' '(objectClass=*)'
Replace the $xxx values with your related values. If you get return code=0, you can get in, not just that the UID/PWD combination is correct.
Upvotes: 0
Reputation: 455
Look into the WhoAmI Extended Operation (RFC 4532).
WhoAmI serves one purpose really - validate submitted bind credentials. It should not affect nor provoke any "login restrictions" (that I know of).
WhoAmI can be done using a dedicated binary (such as "ldapwhoami"), or it can be done using Net::LDAP::Extension::WhoAmI (Perl) or some other such language that supports LDAP operations. Do note that "testing a password" using some "Search" function is an ill-advised test method.
For example, if my DN is "uid=max,ou=users,dc=company,dc=com" and my password is "@secret", one could do this via the dedicated binary on a Linux box (note -ZZ is used for TLS confidentiality, which is possibly unsupported or optional in your environment):
ldapwhoami -x -w "@secret" -D uid=max,ou=users,dc=company,dc=com -ZZ -H ldap://address.of.your.ldapserver/
If the user/pass combination is correct, the answer returned is:
dn:uid=max,ou=users,dc=company,dc=com
If the user/pass combination is NOT correct, the answer returned is (usually):
(49) Invalid Credentials
This could mean, as I said, the password and/or username is wrong, the user does not exist, or the LDAP server's ACLs are broken in such a way that authentication is not possible. More often than not, its the user/pass combo being mistyped, or the user not existing.
In closing, the LDAPWhoAmI operation is a very lightweight and simple method of validating credentials. It also works via other mechanisms too (e.g: Kerberos Single Sign-On, Digest-MD5, etc etc).
Upvotes: 16
Reputation: 310980
Binding as that user is sufficient. The password is checked in the process of binding.
Upvotes: 3
Reputation:
Watch out using bind for checking username/password, on some systems it will count as a login, and with login restrictions it might fail.
Using compare is a better option for just checking the password.
Upvotes: 7
Related Questions
- How to check user password in ldap whith java with given LdapContext?
- Compare password to LDAP stored password
- check username and password vie ldap php
- LDAP compare username password?
- Active Directory - Check username / password
- LDAP verify a password outside of code
- How do I check Active Directory user credentials using LDAP?
- verify LDAP user password in Java
- How can I just check if a given username exists?
- ldap - find out details of a user