原文地址:Authentication
options | Basic
authorization
If you want to use simple binds with user DN and password within
a Java component, in order to authenticate users programatically, in
practice one problem arises: Most users do not know their DN.
Therefore they will not be able to enter it. And even if they know it, it
would be frequently very laborious due to the length of the DN.
It would be easier for a user if s/he only has to probvide a short,
unique ID and the password, like in this
web form:
Usually
the ID is an attribute within the user‘s entry. In our sample data (Seven
Seas), each user entry contains
the uid attribute, for instance
uid=hhornblo for Captain Hornblower:
dn: cn=Horatio Hornblower,ou=people,o=sevenSeas
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
cn: Horatio Hornblower
description: Capt. Horatio Hornblower, R.N
givenname: Horatio
sn: Hornblower
uid: hhornblo
mail: [email protected]
userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=
But how to authenticate a user who provides "hhornblo"/"pass" instead
of "cn=Horatio Hornblower,ou=people,o=sevenSeas"/"pass" with the help of
ApacheDS?
An algorithm
In order to accomplish this task programmatically, one option is to
perform the following steps
Arguments
- uid of a user (e.g. "hhornblo")
- password proclaimed to be correct for the user
Steps
- Bind to ApacheDS anonymously, or with the DN of a technical user. In
both cases it must be possible to search the directory afterwards
(authorization has to be configured that way) - Perform a search operation with an appropriate filter to find the
user entry for the given ID, in our case
"(&(objectClass=inetorgperson)(uid=hhornblo))"
- If the search result is empty, the user does not exist --
terminate - If the search result contains more than one entry, the given ID is
not unique, this is likely a data error within your directory
- If the search result is empty, the user does not exist --
- Bind to ApacheDS with the DN of the entry found in the previous
search, and the password provided as argument
- If the bind operation fails, the password is wrong, and the result
is false (not authenticated) - If the bind is successful, authenticate the user
- If the bind operation fails, the password is wrong, and the result
How to authenticate a user by uid and password?,布布扣,bubuko.com