Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to check a username/password combination?

Tags:

ldap

Using LDAP is checking a username/password as simple as attempting to bind as that user and noting the results, or is there a special LDAP "check password" function?

I'm trying to get a bit more "behind the scenes" understanding while working on a messy LDAP repository setup issue.

(Note: This is for situations in which the password is not stored as a hash in a custom property; that situation is easy to manage)

like image 687
DrStalker Avatar asked Nov 01 '10 02:11

DrStalker

People also ask

What do you call username and password together?

User credentials are typically a username and password combination used for logging in to online accounts.

What is password combination?

The combination of several will produce a strong password. Use a mix of alphabetical and numeric characters. Use a mixture of upper- and lowercase; passwords are case sensitive. Use symbols if the system allows (spaces shouldn't be used as some applications may trim them away)

2 Answers

LDAP supports a compare of userPassword. You send the password, the server does the compare and returns true or false. This is the not-requiring a login way to authenticate users.

like image 163
geoffc Avatar answered Oct 07 '22 01:10

geoffc

Look into the WhoAmI Extended Operation (RFC 4532).

WhoAmI serves one purpose really - validate submitted bind credentials. It should not affect nor provoke any "login restrictions" (that I know of).

WhoAmI can be done using a dedicated binary (such as "ldapwhoami"), or it can be done using Net::LDAP::Extension::WhoAmI (Perl) or some other such language that supports LDAP operations. Do note that "testing a password" using some "Search" function is an ill-advised test method.

For example, if my DN is "uid=max,ou=users,dc=company,dc=com" and my password is "@secret", one could do this via the dedicated binary on a Linux box (note -ZZ is used for TLS confidentiality, which is possibly unsupported or optional in your environment):

ldapwhoami -x -w "@secret" -D uid=max,ou=users,dc=company,dc=com -ZZ -H ldap://address.of.your.ldapserver/

If the user/pass combination is correct, the answer returned is:

dn:uid=max,ou=users,dc=company,dc=com

If the user/pass combination is NOT correct, the answer returned is (usually):

(49) Invalid Credentials

This could mean, as I said, the password and/or username is wrong, the user does not exist, or the LDAP server's ACLs are broken in such a way that authentication is not possible. More often than not, its the user/pass combo being mistyped, or the user not existing.

In closing, the LDAPWhoAmI operation is a very lightweight and simple method of validating credentials. It also works via other mechanisms too (e.g: Kerberos Single Sign-On, Digest-MD5, etc etc).

like image 44
maximum ldap Avatar answered Oct 07 '22 01:10

maximum ldap
Sign in to Comment

Related questions

How secure is your password in LDAP?
How are nested groups in LDAP normally implemented?
Need help ignoring server certificate while binding to LDAP server using PHP
How to convert LDAP timestamp to Unix timestamp
Is LDAP obsolete?
Java, LDAP: Make it not ignore blank passwords?
How to escape a string in C#, for use in an LDAP query
LDAP: How to return more than 1000 results (java)
LDAP Support for the new Authentication System in VS2013 (based on owin (owin.org) )
Preventing LDAP injection
LDAP vs SAML Authorization
LDAP Operations error
Java LDAP Authentication using username and password
LDAP server which is my base dn
Active Directory LDAP Query by sAMAccountName and Domain
Ldap filter for attribute that may not exist
.Net's Directory Services throws a strange exception
using wildcards in LDAP search filters/queries
Active Directory vs OpenLDAP
Using AD as authentication for Django

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!