LDAP user authentication is the process of validating a username and password combination with a directory server such MS Active Directory, OpenLDAP or OpenDJ. LDAP directories are standard technology for storaging user, group and permission information and serving that to applications in the enterprise. Show Authenticating users with an LDAP directory is a two-step process. This article explains the mechanics of it and then how to configure it in LdapAuth. Step 1 – Resolving the username to a directory entry attributeUser entries in a directory are identified by a distinguished name (DN) which resembles a path-like structure starting at the directory root (the rightmost segment):
In order to authenticate a user with an LDAP directory you first need to obtain their DN as well as their password. With a login form, people typically enter a simple identifier such as their username or email address. You don’t expect them to memorise the DN of their directory entry. That would be impractical. To solve this issue a DN resolution comes in. It takes the user’s name or email, then runs a search against the name or email attributes of all user entries to find the matching entry DN. Directories employ highly efficient indexing and caching, so these searches are typically very fast. The directory attributes to search for are defined in the . The default LdapAuth configuration searches the UID and email attributes. The %u placeholder is substituted with the user identifier entered in the login form:
If you want to search for UID only the search filter would look like this:
If you want to search for UID, email and employee number, extend the filter to
Two important things to observe when configuring and creating new user entries in the directory:
The LdapAuth web API does not reveal in the authentication response the cause of the login failure – whether that was a wrong username, a wrong password, or both. To troubleshoot situations where a user is not able to login despite entering a correct username and password, check the service logs. If a login was rejected due to a bad username, a line like this will appear in the log:
If the username was correctly resolved, but the password was bad:
If we have correctly resolved the user’s directory entry DN, we can proceed to the next step – checking the password. Step 2 – Validating the user passwordPasswords are checked by an LDAP command called bind. A connection is opened to the directory server, then a request is sent to authenticate the connection as a particular user by passing its entry DN and password:
If the credentials are correct, the directory server returns success. Otherwise it returns an LDAP error Important things to note here:
Again, remember that log files are your friend. They record details of every login attempt and can be used for quick troubleshooting when authentication is not working as expected. If you need more help with configuring LdapAuth get in touch with us. What are the three way to authenticate to an LDAP server?The LDAP v2 defines three types of authentication: anonymous, simple (clear-text password), and Kerberos v4. The LDAP v3 supports anonymous, simple, and SASL authentication. SASL is the Simple Authentication and Security Layer (RFC 2222).
What are three common ways for LDAP to authenticate choose three?Simple authentication: This encompasses three possible approaches – anonymous authentication, unauthenticated authentication, and name/password authentication.
How does LDAP authenticate?In short, a client sends a request for information stored within an LDAP database along with the user's credentials to an LDAP server. The LDAP server then authenticates the credentials submitted by the user against their core user identity, which is stored in the LDAP database.
What is needed for LDAP authentication?LDAP authentication involves verifying provided usernames and passwords by connecting with a directory service that uses the LDAP protocol. Some directory-servers that use LDAP in this manner are OpenLDAP, MS Active Directory, and OpenDJ.
|