LDAP验证的用户名和密码
[英]Username and Password for LDAP Authentication
问题描述
A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). 
一位客户询问我们是否支持单点登录(SSO)的LDAP身份验证。 I Googled around and learnt a bit about LDAP. 我在Google周围搜索并了解了一些有关LDAP的知识。
However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in. 但是,我不明白是否应该对将作为应用程序提供给我的某些凭据运行bind操作,然后寻找尝试登录的用户,还是应该对用户尝试的凭据调用bind通过我们的应用程序登录,并且只要凭据有效,我就认为该用户已登录。
Thank you. 谢谢。
1 个解决方案
解决方案1
2 已采纳 2017-03-09 23:48:52
It's done in three steps: 分三个步骤完成:
- Bind as an administrative user that has enough permission to search the directory. 绑定为具有足够权限搜索目录的管理用户。
- Search the directory for the user. 在目录中搜索用户。 This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc. 这是必要的,因为用户将不会提供他的整个DN:他将提供有关他自己的其他信息,例如他的电子邮件地址,“屏幕名称” /昵称/别名等。
- Bind as that user using the password credential supplied. 使用提供的密码凭据作为该用户绑定。
If any of this fails ie including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. 如果其中任何一个失败(包括(2)),则表示登录失败,请注意,您没有告诉用户哪个步骤:您没有告诉他“没有这样的用户”或“无效的密码”。 You just tell him 'invalid credentials' or similar for both. 您只需告诉他“无效的凭据”或两者均类似。 Otherwise you're leaking information to an attacker. 否则,您会将信息泄漏给攻击者。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.