How do I bind to LDAP with a username/password

L

laredotornado

Hi,

I'm using Java 1.5. Does anyone know how I can bind to an LDAP server
with a username and password? Note that this is different from
authenticating against an LDAP server with a username and password.
That I can set up like so ...

Hashtable env = new Hashtable(5, 0.75f);
...
env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
env.put(Context.SECURITY_CREDENTIALS, pass);
...
InitialLdapContext context = null;
context = new InitialLdapContext(env, null);

I was looking at ways of writing the LDAP connect string (http://
www.rlmueller.net/LDAP_Binding.htm), and there seems to be a place for
the bind username ("cn") but I can't see where the password would go.

Any help is appreciated, - Dave
 
N

Nigel Wade

laredotornado said:
Hi,

I'm using Java 1.5. Does anyone know how I can bind to an LDAP server
with a username and password? Note that this is different from
authenticating against an LDAP server with a username and password.
Click to expand...

Authentication against LDAP normally works by attempting to bind with the
supplied credentials. Failure to bind indicates a failure to authenticate.

The only other way to do it would be to bind with some master credentials which
had full read access (including passwords), perform a search for the
SECURITY_PRINCIPAL, fetch the encrypted password for that DN and compare it to
the SECURITY_CREDENTIALS (after suitable encryption of said
SECURITY_CREDENTIALS).
That I can set up like so ...

Hashtable env = new Hashtable(5, 0.75f);
...
env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
env.put(Context.SECURITY_CREDENTIALS, pass);
...
InitialLdapContext context = null;
context = new InitialLdapContext(env, null);

I was looking at ways of writing the LDAP connect string (http://
www.rlmueller.net/LDAP_Binding.htm), and there seems to be a place for
the bind username ("cn") but I can't see where the password would go.
Click to expand...

and this does the former method, i.e. binding as SECURITY_PRINCIPAL to test
authentication.
Any help is appreciated, - Dave
Click to expand...

I think you've already helped yourself, you just don't realize it...

What operation are you wanting to perform on the directory after you've bound to
it?

P.S. Beware the very confusing terminology in JNDI where "bind" means "add",
rather than in LDAP where it means "connect". When you "bind" with JNDI you are
adding an entry into the directory.
 
L

laredotornado

laredotornadowrote:


Authentication against LDAP normally works by attempting to bind with the
supplied credentials. Failure to bind indicates a failure to authenticate..

The only other way to do it would be to bind with some master credentials which
had full read access (including passwords), perform a search for the
SECURITY_PRINCIPAL, fetch the encrypted password for that DN and compare it to
the SECURITY_CREDENTIALS (after suitable encryption of said
SECURITY_CREDENTIALS).




and this does the former method, i.e. binding as SECURITY_PRINCIPAL to test
authentication.




I think you've already helped yourself, you just don't realize it...

What operation are you wanting to perform on the directory after you've bound to
it?

P.S. Beware the very confusing terminology in JNDI where "bind" means "add",
rather than in LDAP where it means "connect". When you "bind" with JNDI you are
adding an entry into the directory.
Click to expand...

I'm so new to this I'm still not seeing the answer in your reply.
Often you connect anonymously to LDAP and then run a query passing in
different username/passwords to see if they authenticate. In this
case I want to connect with master credentials and then run queries
authenticating others using the

env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
env.put(Context.SECURITY_CREDENTIALS, pass);

syntax. But how do I connect as the master credentials? IOW, what
code or other URL syntax should I be using before I can perform the
query operation above?

Thanks for your help, - Dave
 
N

Nigel Wade

laredotornado said:
I'm so new to this I'm still not seeing the answer in your reply.
Often you connect anonymously to LDAP and then run a query passing in
different username/passwords to see if they authenticate.
Click to expand...

I've never come across that method, and I don't see how it could work.

You can bind anonymously and run queries on the contents/attributes of entries
in the directory, but you will have limited success depending on the security
in the directory server, and what attributes are visible to anonymous binds.
You can attempt to bind with some given credentials, and you will either
succeed or fail depending on whether the credentials are valid. You can bind
with the master credentials and then run a query which ought to succeed.
In this
case I want to connect with master credentials and then run queries
authenticating others using the

env.put(Context.SECURITY_PRINCIPAL, name+"@" + this.domain);
env.put(Context.SECURITY_CREDENTIALS, pass);

syntax.
Click to expand...

It's not at all clear to me what you are wanting to achieve. If you want to know
if some credentials will authenticate you attempt to bind with those
credentials. There is no query that I know of which you can run to test
authentication. AFAIK that just isn't part of the LDAP protocol.
But how do I connect as the master credentials?
Click to expand...

You supply the DN of that entry, and the password. To test the authenticity of
other credentials you do exactly the same. The only reason you might want to
bind first with some other credentials is because you only have the uid, or
some other part of the identity, rather than the DN. So you'd bind with
credentials which had search access to the attributes you need, and with read
access to the DN.

For example if the user entry you want has a uid field
containing "(e-mail address removed)" you would perform a search for a uid with that
value. If the search was successful you could extract the DN from the result
and use that to bind. If the search fails you know that user entry is not in
the directory.
 
L

laredotornado

laredotornadowrote:


I've never come across that method, and I don't see how it could work.

You can bind anonymously and run queries on the contents/attributes of entries
in the directory, but you will have limited success depending on the security
in the directory server, and what attributes are visible to anonymous binds.
You can attempt to bind with some given credentials, and you will either
succeed or fail depending on whether the credentials are valid. You can bind
with the master credentials and then run a query which ought to succeed.




It's not at all clear to me what you are wanting to achieve. If you want to know
if some credentials will authenticate you attempt to bind with those
credentials. There is no query that I know of which you can run to test
authentication. AFAIK that just isn't part of the LDAP protocol.


You supply the DN of that entry, and the password. To test the authenticity of
other credentials you do exactly the same. The only reason you might want to
bind first with some other credentials is because you only have the uid, or
some other part of the identity, rather than the DN. So you'd bind with
credentials which had search access to the attributes you need, and with read
access to the DN.

For example if the user entry you want has a uid field
containing "(e-mail address removed)" you would perform a search for a uid with that
value. If the search was successful you could extract the DN from the result
and use that to bind. If the search fails you know that user entry is not in
the directory.
Click to expand...

In my situation, binding/connecting anonymously is not an option. So
what I'm trying to achive is

1. Connecting with master credentials
2. Then authenticating a user with some other username/password (which
I know how to do when I bind anonymously).
You supply the DN of that entry, and the password.
Click to expand...

and do you do that through the same procedure as above, setting up a
Hashtable that is my environment and calling

context = new InitialLdapContext(env, null);

.. If so, would I be doing this twice -- once for the master
credentials and then immediately after with the user I wish to
authenticate?

- Dave
 
N

Nigel Wade

laredotornado said:
In my situation, binding/connecting anonymously is not an option. So
what I'm trying to achive is

1. Connecting with master credentials
2. Then authenticating a user with some other username/password (which
I know how to do when I bind anonymously).
Click to expand...

Why are you performing step 1?
It isn't necessary and doesn't achieve anything.
and do you do that through the same procedure as above, setting up a
Hashtable that is my environment and calling

context = new InitialLdapContext(env, null);

. If so, would I be doing this twice -- once for the master
credentials and then immediately after with the user I wish to
authenticate?
Click to expand...

You would indeed. I see no reason whatsoever for the first step. Just bind as
the user you want to "authenticate", that's how you "authenticate" with LDAP.
 
R

Roedy Green

Hi,

I'm using Java 1.5. Does anyone know how I can bind to an LDAP server
with a username and password? Note that this is different from
authenticating against an LDAP server with a username and password.
That I can set up like so ...
Click to expand...

It might work the same way it does for HTTP. See
http://mindprod.com/jgloss/authentication.html

It would only take a few minutes to find out.
--
Roedy Green Canadian Mind Products
http://mindprod.com

"Climate change is no longer a doomsday prophecy, it’s a reality."
~ Astrid Heiberg president of the International Federation of Red Cross and Red Crescent Societies
 
L

laredotornado

laredotornadowrote:



Why are you performing step 1?
It isn't necessary and doesn't achieve anything.







You would indeed. I see no reason whatsoever for the first step. Just bind as
the user you want to "authenticate", that's how you "authenticate" with LDAP.
Click to expand...

So you're saying I never need to authenticate with master
credentials? Then this may be an unrelated question, but what is the
significance of the "cn" in the connect string and when is it
required?

Thanks, - Dave
 
N

Nigel Wade

laredotornado said:
So you're saying I never need to authenticate with master
credentials?
Click to expand...

Not if you want to "authenticate" a different account, no. However, if all you
have is the users name, UID etc. and not the DN you may need to authenticate
using master credentials so you can search the directory to get the required
DN. This is basically how nss_ldap/PAM works on UNIX/Linux.
Then this may be an unrelated question, but what is the
significance of the "cn" in the connect string and when is it
required?
Click to expand...

When you bind/authenticate you have to supply the DN of the authenticating user.
The DN identifies the entry in the directory and is a hierarchical combination
of each object type from this entry back to the root DN. This may, or may not,
include a CN depending on the structure of the directory. For example the DN of
an account on our LDAP directory has no CN component :
uid=whatever,ou=accounts,ou=sppg,dc=RSPPG

However, the entry in the directory does have a CN attribute but it's not used
during binding/authentication. A CN would only be required if that was part of
the DN of the authenticating user.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What does "the trustAnchors parameter must be non-empty" mean? 4
Passwordless ActiveDirectory LDAP Bind 3
does this ldap code work? 1
Issue with too-slow LDAP queries 0
ldap proxy user bind 6
How to Create a random password generator in a separate window 4
LDAP Authentication with Username 1
Question about InitialLdapContext 1

Members online

Total: 51 (members: 1, guests: 50)
Robots: 342

Forum statistics

Threads
473,769
Messages
2,569,582
Members
45,058
Latest member
QQXCharlot

Latest Threads

Top