[ale] How LDAP works with authentication
Jason Day
jasonday at worldnet.att.net
Wed Oct 12 20:27:42 EDT 2005
On Wed, Oct 12, 2005 at 06:23:24PM -0400, Christopher Fowler wrote:
> Why would you store the plain-text version?
I'm not talking about storage, I'm talking about authentication. LDAP
provides an authentication mechanism. For example, in Java:
Hashtable env = new Hashtable();
env.put(Context.SECURITY_PRINCIPAL, "bob");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(Context.PROVIDER_URL, "ldap://ldap.blah.com/O=foo");
try {
new InitialDirContext(env);
}
catch (AuthenticationException e) {
//...
}
That's from memory, so it may not be entirely correct. But, if the
hashtable argument passed to the InitialDirContext constructor contains
the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS keys,
then the LDAP server will authenticate the given user. If no
AuthenticationException is thrown, then the supplied username and
password are valid.
I don't know what the C API is, but I imagine it's similar. So, for
your getldappwnam(), in step 2:
>2. If not and LDAP is configured then exec getldappwnam() and
> check for 'bob' in central server.
You don't need to retrieve bob's password hash and compare it, you just
send bob's username and password to the LDAP server and let the server
do the authentication. If you can do SSL, then you can use an SSL LDAP
URL and you don't have to worry about sending the username and password
in plain text to the LDAP server.
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
More information about the Ale
mailing list