ldap check username-password combination via java_问答_开发者

ldap check username-password combination via java

开发者 https://www.devze.com 2023-04-06 23:00 出处：网络

To test a username-password combination with ldap i do the following connect to an ldap server with a masteruser account

To test a username-password combination with ldap i do the following

connect to an ldap server with a masteruser account
search for the user to check
open another connection by using InitialLdapContext and the given combination.

This works fine for me till i noticed that some correct combinations wont work. (these are mostly accounts which were created short time ago)

Is there a way a user is listed in a ldap directory but isnt allowed to connect to the ldap server itself?! My current code just uses the masteruser to search for the username to check, but in the end its just a new connection with the username-password combination to check.

Should i possibly connect wit开发者_开发技巧h the masteruser and then bind with the username-password combination?

this is the part where i check the combination:

static boolean CheckLDAPConnection(String user_name, String user_password) {    
    try {
        Hashtable<String, String> env1 = new Hashtable<String, String>();
        env1.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env1.put(Context.SECURITY_AUTHENTICATION, "simple");
        env1.put(Context.SECURITY_PRINCIPAL, user_name);
        env1.put(Context.SECURITY_CREDENTIALS, user_password);
        env1.put(Context.PROVIDER_URL, ip);
        try {
            //Connect with ldap
            new InitialLdapContext(env1, null);  

            //Connection succeeded
            System.out.println("Connection succeeded!");
            return true;
        } catch (AuthenticationException e) {

            //Connection failed
            System.out.println("Connection failed!");
            e.printStackTrace();
            return false;
        }  
    }
    catch (Exception e) {   
    }
    return false;
}

Once you have found the user's DN you should then add those credentials to the first context's environment and then try a reconnect(). That does the LDAP bind operation.

We check user and password against LDAP by using directly its user and password to create the LDAP connection. If connection can be created, use is authorized. Then search for user permission in the LDAP with the same connection (if no permission can not access the application regarding the user is validated). Could not be the best approach but using a master-user to create the first LDAP connection is not possible in a 2-tier application (security concerns about storing the master-user in the client GUI) as in our case.

Maybe you can change your approach.

This approach have some disadvantages, as creating new users, so need to grant special permissions on the LDAP to an "admin" user of the GUI to create other users but don't administrate the LDAP...