Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is LDAP binding account required for user authentication?

I am making a portal for my organization in which I want the user to login to that portal with their organization acoount's ID and password.

For this purpose I am using LDAP authentication with Java.

After reading through quite a few articles, I found the following steps for authentication:

  1. bind to LDAP server using some binding or technical account

  2. search for the user details in LDAP server who is trying to log in

  3. try to bind to server again with user's Distinguished name and password.

Question 1: Is that all?

Is the above process exactly correct or I am missing some info as I am a novice programmer? And what does binding mean conceptually?

Question 2: Why use a bind account?

I wonder what is the need of binding account? If directly I try to bind the LDAP server with user's credential and if it is successful, then can I give him the access?

I have JXplorer tool in which i am able to connect to LDAP server with my own organization's credential. So I was thinking what is the need of first binding to LDAP server with some other account?

like image 822
mihir S Avatar asked Aug 27 '14 05:08

mihir S


People also ask

What is LDAP bind account?

Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client's privileges.

Does LDAP require authentication?

A user cannot access information stored within an LDAP database or directory without first authenticating (proving they are who they say they are). The database typically contains user, group, and permission information and delivers requested information to connected applications.

How do I authenticate someone using LDAP?

In order to authenticate a user with an LDAP directory you first need to obtain their DN as well as their password. With a login form, people typically enter a simple identifier such as their username or email address. You don't expect them to memorise the DN of their directory entry.

What are three common ways for LDAP to authenticate choose three?

Simple authentication: This encompasses three possible approaches – anonymous authentication, unauthenticated authentication, and name/password authentication.


1 Answers

question 1- Is the above process exactly correct

Yes.

question 2- I wonder what is the need of binding account?

Yes. You need to search the directory to find the user DN, and you don't want the general unauthenticated public to be able to search the directory.

if directly I try to bind the ldap server with user's credential and if it is successful, then can I give him the access?

You don't have the user's credentials to start with. You have his login name, or email address, or CN, or something that he uses to identity himself, but which is only an attribute of some entry. You need to find that entry and get its DN for authentication.

I have jexplorer tool in which I am able to connect to LDAP server with my own organization's credentials. So i was thinking what is the need of first binding to LDAP server with some other account?

See above. You don't want the user to have to remember his entire DN the way you do with JXplorer.

like image 131
user207421 Avatar answered Sep 28 '22 08:09

user207421