LDAP比较用户名密码？

Question

I am new to LDAP and is using it with com.sun.jndi.ldap jar.

I have a login page where the user is entering the username and password. My job here is to validate the credentials with the data sitting in LDAP.

Till now I have connected to a LDAP server, authenticated and retrieved the uid.

Now I want to compare the password entered by the user and that in LDAP (password is private ie cannot view it when querying for the userid).

Is there any way to compare both of these passwords?

Answer 1

We have several samples using binding as a user. You should mentioned by others, do a bind, never a compare of passwords. A compare of passwords is a poor practice and should not be utilized as some of the built in LDAP Server Implementation features such as Password Expiration and Intruder Detection may be bypassed when performing a Compare Request on the password attribute.

JNDI Samples

Answer 2

Java LDAP APIs provide search operation which cause LDAP compare in turn. Here is an example of the same .

Answer 3

If there's an option to use Spring Security in your application, this has a module that'll allow you to integrate authentication with LDAP.

Documentation here

Answer 4

You're asking the wrong question. The correct approach with LDAP is to 'bind' to the directory using the user's credentials instead of your own. In JNDI this corresponds to the LdapContext.reconnect() operation, after setting the user's credentials into the context's environment as Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS. That causes the LDAP server to do the password comparison as necessary.

Answer 5

If you really want to compare a field (not limited to username and password), you can use the following wrapper over the search method:

public boolean compare(LdapContext ctx, String dn, String filter) {

    NamingEnumeration<SearchResult> answer = null;

    try {
        SearchControls searchCtls = new SearchControls();
        searchCtls.setSearchScope(SearchControls.OBJECT_SCOPE);
        searchCtls.setReturningAttributes(new String[0]);

        answer = ctx.search(dn, filter, searchCtls);
        if (answer == null || !answer.hasMore()) {              
            return false;   // E.g.: wrong filter
        }
    } catch (NamingException ex) {
        return false;       // E.g.: wrong DN
    }
    return true;
}

where ctx could be:

LdapContext ctx = new InitialLdapContext(getEnvironment(userName, password), null);

and the getEnvironment method could be:

private Hashtable<String, Object> getEnvironment(String userName, String password) {
    Hashtable<String, Object> env = new Hashtable<>();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, LDAP_HOST_389);
    env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
    env.put(Context.SECURITY_PRINCIPAL, userName);
    env.put(Context.SECURITY_CREDENTIALS, password);
    return env;
}

If you call the compare method above, you will get:

• false if something went wrong (Eg: invalid dn , invalid filter )

• true otherwise. In this case, if you inspect the answer in the compare method, you'll see:

   SearchResult sr = answer.next(); sr.getName(); // this is empty sr.getAttributes(); // No attributes 

You can also take a look at the LDAP Compare documentation from Oracle .

Answer 6

If I understand correct, you are trying to compare the password entered by the user and the password in the LDAP in your Java Code. This is not possible in JAVA since there is no option for java to retrieve the password from the LDAP. We can only ask the LDAP to validate the user entered details. More over the password in LDAP will not be stored as Plain text, it will be encrypted and stored.