Reputation: 147
Username and Password for LDAP Authentication
A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
Thank you.
Upvotes: 0
Views: 266
Answers (1)
Reputation: 310840
It's done in three steps:
- Bind as an administrative user that has enough permission to search the directory.
- Search the directory for the user. This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc.
- Bind as that user using the password credential supplied.
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.
Upvotes: 3
Related Questions
- Login authentication via LDAP
- Java LDAP authentication with username
- How to connect LDAP With username and password?
- authentication using LDAP
- LDAP Authentication Requirements and How to do it
- Java LDAP Authentication using username and password
- LDAP web application using Single sign-on authentication
- How to implement single sign-on in my java project?
- what LDAP credentials are needed
- How to authenticate in LDAP?