问题
A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
However, I don't understand whether I should run the bind operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
Thank you.
回答1:
It's done in three steps:
- Bind as an administrative user that has enough permission to search the directory.
- Search the directory for the user. This is necessary because the user won't be providing his entire DN: he will be providing something else unique about himself such as his email address, a 'screen name'/moniker/alias, etc.
- Bind as that user using the password credential supplied.
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.
来源:https://stackoverflow.com/questions/42706454/username-and-password-for-ldap-authentication