[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and authentication with Java

I'm assuming that you will be using Java Servlets and/or JSPs because you
said the user enters their uid and password on a web page, with that
assumption in mind their are a couple of scenarios that you can apply.
Before I start you will have to choose which Java library for LDAP you want
to use.  There are a few options, Netscape's SDK for LDAP located at
http://www.mozilla.org/directory or Java's JNDI interface or Novell's SDK
for LDAP located at http://www.openldap.org/jldap.  My scenarios assume you
have chosen Netscape's or Novell's

Scenario 1:
If the LDAP server is not accessible outside of your LAN (i.e. behind a
firewall or
on a local subnet not connected to the internet) and your servlet container
and ldap
server are on the same (trusted) LAN you don't need SASL to perform
as a matter of fact it is faster to do without it because you don't incur
the authentication
overhead.  This is possible because the conversation between the servlet and
the LDAP
server is hidden from the internet because communication between the servlet
and LDAP
server is taking place on your local LAN and subnet.  Once the user enters
their uid
and password in the HTML form you have 3 options:
1) Use client side technologies (i.e. JavaScript) to encrypt the password.
There are
   free MD5 and SSH hashing algorithm available for JavaScript.  This
assumes of course
   that the userPassword attribute in the LDAP server is already encrypted
with the same
   algorithm that you are using on the client side.  It is then safe to
submit the form
   to the servlet or JSP in clear text and have the servlet/jsp
authenticate the user.
   The actual authentication can be done a couple of ways:
    1) If the user id that the user entered in not in DN form you must
convert it.
       You then can use the SDK to bind as the user using the DN form of the
user id
       and the pre-encrypted password.  If the bind fails an LDAPException
will be thrown.
       Their are methods on the Exception object that will allow you to
figure out why the
       bind failed.  Usually its because either the DN is was incorrect (the
user doesn't
       exist) or the password was incorrect.

    2) Bind as entry with administrative rights and do a compare against the
web user's DN
       and password.

2) Use SSL between the web server and the client, this takes care of
encrypting the user name
   password as it travels over the internet to your Servlet/JSP.  Repeat the
   process described above.

Scenario 2:
If the LDAP server is accessible via the internet or the servlet container
and LDAP server
are on an un-trusted network then you need SASL which completely changes the
way you authenticate
the user depending on the SASL mechanism that you choose to deploy (i.e. SSL
between the LDAP
server and the servlet/JSP).

Dane Foster
Equity Technology Group, Inc
----- Original Message -----
From: "Marc Petitmermet" <petitmermet@ifp.mat.ethz.ch>
To: <openldap-software@OpenLDAP.org>
Sent: Wednesday, October 17, 2001 1:23 PM
Subject: OpenLDAP and authentication with Java


I am looking for a server side Java program (Jndi?) which allows me
to verify a user. The user enters his uid and password (both in
cleartext) on a web page. Now I should verify if the user exists or
not and if yes if the given password is correct or not. And, of
course, connections should be secure (SASL/SSL).

Now I read in the archive: "What I do in my authentication page,
is ask for the uid and the password, then do an ldap bind according to this
if the bind works, i'm authentified. Else, I have a "no authorization"
page. I think this is a good methode as I don't have to care how password
encrypted in LDAP." (Prune)

Does this really work? If the bind works, I'm authentified? That's it?
Can I have some more detailed responses such as wronguid,
wrongpasswd, priviledged (if everything is correct)?

If anybody can confirm the above or even has some good links for
additional infos or Java program examples I would be very glad.


Dr. Marc Petitmermet, IT Support Group Member, Institute for Polymers (IfP)
Unix, Linux, WWW, SEPP - Working hours: Wednesday p.m., Thursday and Friday
Universitaetstrasse 6, CNB C90.3, ETH Zentrum, CH-8092 Zuerich, Switzerland
Phone: +41-1-633 61 06, petitmermet@ifp.mat.ethz.ch, http://www.mat.ethz.ch