I have read a fairly good amount of info about LDAP but there's something I don't understand.
Let's suppose I have a J2EE app that is capable of both authenticating local users or LDAP users (mutually exclusive alternatives). After I specify LDAP server ip address, base DN and connection DN and password in the app, now my users can log in using their LDAP info.
Now, suppose "myuser" with password "mypassword" logs into the application. What of the following occurs?
-
The app receives the login request, then binds to LDAP using its very own credentials and then looks up the entry for the "myuser" and compares "mypassword" with the password stored in the LDAP directory for the matching entry, then allows or rejects the access.
-
The app receives the login request, then passes the "myuser" and "mypassword" credentials to LDAP (bind DN and password) and then, depending on the response received for the binding operation, allows or rejects the user?
How does it really work?
Best Answer
As I understand it (and I'm not an expert on these matters) it's more like 1 than 2, but not exactly so. The app receives the login request. It binds to LDAP using its own credentials, the password being transmitted in clear (which is why LDAPS, or LDAP that escalates via TLS, is a good idea). These credentials must be sufficiently-privileged for the LDAP server to permit a search for various stored parameters relating to
myuser's account, including the stored, hashed, user password.The app then hashes
mypassword, as presented by the user, and compares it to the hash returned from LDAP. If they match, it knows the credentials presented are good, and myuser is authenticated; if not, then not.