Search code examples
authenticationldapopends

Authentication via LDAP

I'm interested in how other people code this because I'm either not understanding it properly or I'm missing something or perhaps even I'm doing it right!

First of all, this is NOT an Active Directory instance of LDAP its OpenDS which other than some syntactical differences shouldn't much matter.

So assume I have my tree structure setup something like this:

-dc=somedomain,dc=com
-uid=rootuser
    -ou=Group1
       -uid=username1
       -uid=username2
    -ou=Group2
       -uid=username3
       -uid=username4

In order to authenticate as the 'rootuser' I would need to pass the fully qualified Username when I create my System.DirectoryServices.DirectoryEntry object, in this case:

uid=rootuser,dc=somedomain,dc=com

but for any other user in the tree I have to know in advance what LDAP path to append to the username to have them authenticate thru. So for example this will fail:

uid=username1,dc=somedomain,dc=com

but this will work:

uid=username1,dc=somedomain,dc=com,ou=Group1

So my question is how do you handle this when you don't know at login time what specific group a user belongs to to build that path? The only way I can figure to do it is to make the initial call as 'rootuser' so I have access to the entire tree then use System.DirectoryServices.DirectorySearcher to scan it for that particular user (i.e. username1)

using (DirectorySearcher searcher = GetDirectorySearcher()) {
    searcher.Filter = "(&(objectClass=person)(uid=" + userName+ "))";
    SearchResult result = searcher.FindOne();
    return result.GetDirectoryEntry().Path;
}

at that point I have the path for the user I want to login and I can proceed with the actual auth. Am I way off base here or is this generally how it is done?

thanks!

Solution

  • You build a search filter on attributes that are unique to the user, e.g. screen-name, e-mail. Make sure LDAP is configured to ensure they are unique. Then you find the corresponding entry if any, get the DN, and rebind as that user with the appropriate password. If there was no such entry you react accordingly.

    You don't say what language you are using, but in JNDI that means setting the DN as the security principal, the password as the credentials, and calling LdapContext.reconnect().