[英]LDAP compare username password?
I am new to LDAP and is using it with com.sun.jndi.ldap
jar. 我是LDAP的新手,并且正在使用
com.sun.jndi.ldap
jar。
I have a login page where the user is entering the username and password. 我有一个登录页面,用户输入用户名和密码。 My job here is to validate the credentials with the data sitting in LDAP.
我的工作是使用LDAP中的数据验证凭据。
Till now I have connected to a LDAP server, authenticated and retrieved the uid. 直到现在我已连接到LDAP服务器,经过身份验证并检索了uid。
Now I want to compare the password entered by the user and that in LDAP (password is private ie cannot view it when querying for the userid). 现在我想比较用户输入的密码和LDAP中的密码(密码是私有的,即查询用户ID时无法查看)。
Is there any way to compare both of these passwords? 有没有办法比较这两个密码?
We have several samples using binding as a user. 我们有几个样本使用绑定作为用户。 You should mentioned by others, do a bind, never a compare of passwords.
你应该提到别人,做一个绑定,从不比较密码。 A compare of passwords is a poor practice and should not be utilized as some of the built in LDAP Server Implementation features such as Password Expiration and Intruder Detection may be bypassed when performing a Compare Request on the password attribute.
密码比较是一种不好的做法,不应该使用,因为在密码属性上执行比较请求时,可能会绕过某些内置的LDAP服务器实现功能,如密码过期和入侵检测。
Java LDAP APIs provide search
operation which cause LDAP compare in turn. Java LDAP API提供
search
操作,从而导致LDAP比较。 Here is an example of the same . 这是一个相同的例子 。
If there's an option to use Spring Security in your application, this has a module that'll allow you to integrate authentication with LDAP. 如果在应用程序中有一个使用Spring Security的选项,那么它有一个允许您将身份验证与LDAP集成的模块。
You're asking the wrong question. 你问的是错误的问题。 The correct approach with LDAP is to 'bind' to the directory using the user's credentials instead of your own.
使用LDAP的正确方法是使用用户的凭据而不是您自己的凭据“绑定”到目录。 In JNDI this corresponds to the
LdapContext.reconnect()
operation, after setting the user's credentials into the context's environment as Context.SECURITY_PRINCIPAL
and Context.SECURITY_CREDENTIALS.
在JNDI中,在将用户的凭据设置为
Context.SECURITY_PRINCIPAL
和Context.SECURITY_CREDENTIALS.
的上下文环境之后,这对应于LdapContext.reconnect()
操作Context.SECURITY_CREDENTIALS.
That causes the LDAP server to do the password comparison as necessary. 这会导致LDAP服务器根据需要进行密码比较。
If you really want to compare a field (not limited to username and password), you can use the following wrapper over the search
method: 如果您确实想要比较字段(不限于用户名和密码),可以在
search
方法上使用以下包装器 :
public boolean compare(LdapContext ctx, String dn, String filter) {
NamingEnumeration<SearchResult> answer = null;
try {
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.OBJECT_SCOPE);
searchCtls.setReturningAttributes(new String[0]);
answer = ctx.search(dn, filter, searchCtls);
if (answer == null || !answer.hasMore()) {
return false; // E.g.: wrong filter
}
} catch (NamingException ex) {
return false; // E.g.: wrong DN
}
return true;
}
where ctx
could be: ctx
可能是:
LdapContext ctx = new InitialLdapContext(getEnvironment(userName, password), null);
and the getEnvironment
method could be: 并且
getEnvironment
方法可以是:
private Hashtable<String, Object> getEnvironment(String userName, String password) {
Hashtable<String, Object> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, LDAP_HOST_389);
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, userName);
env.put(Context.SECURITY_CREDENTIALS, password);
return env;
}
If you call the compare
method above, you will get: 如果您调用上面的
compare
方法,您将获得:
false
if something went wrong (Eg: invalid dn
, invalid filter
) false
(例如:无效的dn
,无效的filter
) true
otherwise. 否则为
true
。 In this case, if you inspect the answer
in the compare
method, you'll see: 在这种情况下,如果您在
compare
方法中检查answer
,您将看到:
SearchResult sr = answer.next(); sr.getName(); // this is empty sr.getAttributes(); // No attributes
You can also take a look at the LDAP Compare documentation from Oracle . 您还可以查看Oracle的LDAP Compare文档 。
If I understand correct, you are trying to compare the password entered by the user and the password in the LDAP in your Java Code. 如果我理解正确,您将尝试比较用户输入的密码和Java代码中LDAP中的密码。 This is not possible in JAVA since there is no option for java to retrieve the password from the LDAP.
这在JAVA中是不可能的,因为java没有从LDAP检索密码的选项。 We can only ask the LDAP to validate the user entered details.
我们只能要求LDAP验证用户输入的详细信息。 More over the password in LDAP will not be stored as Plain text, it will be encrypted and stored.
LDAP中的密码不会以纯文本形式存储,而是会被加密和存储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.