ldap check username-password combination via java
To test a username-password combination with ldap i do the following
- connect to an ldap server with a masteruser account
- search for the user to check
- open another connection by using InitialLdapContext and the given combination.
This works fine for me till i noticed that some correct combinations wont work. (these are mostly accounts which were created short time ago)
Is there a way a user is listed in a ldap directory but isnt allowed to connect to the ldap server itself?! My current code just uses the masteruser to search for the username to check, but in the end its just a new connection with the username-password combination to check.
Should i possibly connect wit开发者_开发技巧h the masteruser and then bind with the username-password combination?
this is the part where i check the combination:
static boolean CheckLDAPConnection(String user_name, String user_password) {
try {
Hashtable<String, String> env1 = new Hashtable<String, String>();
env1.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env1.put(Context.SECURITY_AUTHENTICATION, "simple");
env1.put(Context.SECURITY_PRINCIPAL, user_name);
env1.put(Context.SECURITY_CREDENTIALS, user_password);
env1.put(Context.PROVIDER_URL, ip);
try {
//Connect with ldap
new InitialLdapContext(env1, null);
//Connection succeeded
System.out.println("Connection succeeded!");
return true;
} catch (AuthenticationException e) {
//Connection failed
System.out.println("Connection failed!");
e.printStackTrace();
return false;
}
}
catch (Exception e) {
}
return false;
}
Once you have found the user's DN you should then add those credentials to the first context's environment and then try a reconnect(). That does the LDAP bind operation.
We check user and password against LDAP by using directly its user and password to create the LDAP connection. If connection can be created, use is authorized. Then search for user permission in the LDAP with the same connection (if no permission can not access the application regarding the user is validated). Could not be the best approach but using a master-user to create the first LDAP connection is not possible in a 2-tier application (security concerns about storing the master-user in the client GUI) as in our case.
Maybe you can change your approach.
This approach have some disadvantages, as creating new users, so need to grant special permissions on the LDAP to an "admin" user of the GUI to create other users but don't administrate the LDAP...
精彩评论