stackoom
  简体   繁体   中英

LDAP/AD - How to determine whether user name or password is mismatch

 原文  2017-02-13 12:00:56       java/ active-directory/ ldap/ java-security

Question


In my application, I am using LDAP bind authentication mechanism. I am getting AuthenticationException commonly even if any one is mismatch(user name or password).
I want to show error message either User Name is mismatch or Password mismatch. Currently, Using AuthenticationException not able to get the proper details.

Is there any existing API will help? or need to query using API?

Thanks in Advance.

3 answers

solution1
 0  2017-02-13 12:33:30

If users give username and password for authentication, it's best practice not to tell them the exact reason why a log on wasn't successful. You always tell them there's a mismatch between username and password, so an attacker doesn't learn if a particular username exists.

solution2
 0  2017-02-13 12:42:23

I agree that the best practice is not to tell the reason.

--

But if you have to do it no matter what:

Do a search with the Username to check if the Username exists. If it doesn't exist it's an error.

If user exists and it continues to authenticate but you get AuthenticationException then it's a wrong password.

--

Edit: 

If(checkUserExists(username)){
    //construct the hashtable environment
    //...
    ht.put(Context.SECURITY_PRINCIPAL, username); 
    ht.put(Context.SECURITY_PRINCIPAL, password); 
    //...
    try {
        localLdapContent = new InitialLdapContext(ht, null);
    } catch (Exception e) {
        //suppose it's a wrong password
    }
}else{
    //error user doesn't exist
}

You need another ldap connection with the permission to check user for all requests. 

boolean checkUserExists(String username) {
    //...
    ht_administrator.put(Context.SECURITY_PRINCIPAL, admin_username); 
    ht_administrator.put(Context.SECURITY_PRINCIPAL, admin_password); 
    //...
    adminconn = new InitialLdapContext(ht_administrator, null);
    return adminconn.search(
        "uid="+username+",ou=people,dc=example,dc=com", "(objectclass=*)", searchControls
    ).hasMore();
}

solution3
 0  2017-02-14 11:28:41

The returned error codes from Microsoft Active Directory provide that information.

"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data , vece ]."

The data values will inform of the issue.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Obfuscating password LDAP AD LDAP AD, get password How to enable user via LDAP in AD? LDAP: How to retrieve user data from multiple AD groups in JAVA How to Map AD Groups to User Role Spring Security LDAP verify LDAP user password in Java How to check user password in ldap whith java with given LdapContext? How to Authenticate a user from a LDAP directory with his username and password? How to determine whether JComboBox ActionListener is triggered from code or by user Adding a user to AD LDS (ADAM) with Java and LDAP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM