How was LDAP authentication created?
I have integrated authentication into an LDAP based application many times.
I just put configs: URL (for example ldap.company.com:389
), search base (for example dc=europe,dc=com
) and query pattern (for example (uid=$)
) into libraries and frameworks.
But I always wonder what the libraries and frameworks actually do to actually authenticate the user by providing a login / password.
LDAP seems to have three types of authentication - anonymous, simple password, and SASL. Therefore, sometimes for authentication, you need to enter your application username / password in order to access the LDAP service.
I'm not sure if this blog will answer the question: http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :
- Get a connection to the LDAP server.
- Bind as application user.
- Find the DN (distinguished name) of the user to authenticate.
- Bind as user to authentication using DN from step 3.
Is it correct?
It can be summed up as (like a command line experiment):
$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
-s sub -b 'dc=europe,dc=com' "uid=XYZ"
Is there any other authentication scheme like using the DN attribute value as the user's privacy? Or userPassword
is this attribute?
source to share