发表新帖
发表新帖

How to check a username/password combination?

后端 未结
关注
4 1405
花落未央
花落未央 2020-12-30 22:45

Using LDAP is checking a username/password as simple as attempting to bind as that user and noting the results, or is there a special LDAP \"check password\" function?

相关标签:
4条回答
  • 闹比i
    2020-12-30 23:28

    LDAP supports a compare of userPassword. You send the password, the server does the compare and returns true or false. This is the not-requiring a login way to authenticate users.

    0 讨论(0)
  • 盖世英雄少女心
    2020-12-30 23:39

    Binding as that user is sufficient. The password is checked in the process of binding.

    0 讨论(0)
  • 南方客
    2020-12-30 23:42

    Look into the WhoAmI Extended Operation (RFC 4532).

    WhoAmI serves one purpose really - validate submitted bind credentials. It should not affect nor provoke any "login restrictions" (that I know of).

    WhoAmI can be done using a dedicated binary (such as "ldapwhoami"), or it can be done using Net::LDAP::Extension::WhoAmI (Perl) or some other such language that supports LDAP operations. Do note that "testing a password" using some "Search" function is an ill-advised test method.

    For example, if my DN is "uid=max,ou=users,dc=company,dc=com" and my password is "@secret", one could do this via the dedicated binary on a Linux box (note -ZZ is used for TLS confidentiality, which is possibly unsupported or optional in your environment):

    ldapwhoami -x -w "@secret" -D uid=max,ou=users,dc=company,dc=com -ZZ -H ldap://address.of.your.ldapserver/

    If the user/pass combination is correct, the answer returned is:

    dn:uid=max,ou=users,dc=company,dc=com

    If the user/pass combination is NOT correct, the answer returned is (usually):

    (49) Invalid Credentials

    This could mean, as I said, the password and/or username is wrong, the user does not exist, or the LDAP server's ACLs are broken in such a way that authentication is not possible. More often than not, its the user/pass combo being mistyped, or the user not existing.

    In closing, the LDAPWhoAmI operation is a very lightweight and simple method of validating credentials. It also works via other mechanisms too (e.g: Kerberos Single Sign-On, Digest-MD5, etc etc).

    0 讨论(0)
  • 故里飘歌
    2020-12-30 23:42

    Watch out using bind for checking username/password, on some systems it will count as a login, and with login restrictions it might fail.

    Using compare is a better option for just checking the password.

    0 讨论(0)
 看不清?
提交回复
热议问题