File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes LDAP user authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "LDAP user authentication" Watch "LDAP user authentication" New topic
Author

LDAP user authentication

Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
hi all,
i'm little confused about the following,
i am familiar with authenticate user using his login/password with the database but now considering the LDAP, how can i do similar thing?
in database i have a table,
Users (userid, password, fname, lname);
i want to migrate this database to LDAP (assuming i have resources to configure LDAP server and change the LDAP schema or whatever to the point i need)....so that when user logs in i can pass username/password to the program and check if the user is valid or not against the ldap.
how do i do that?
i'm confused as i saw the example on SUN's JNDI tutorial at this site but from that example it seems LDAP server is having CREDENTIALS information somewhere other than the LDAP hierarchy itself (the DIT i mean)...
what i want to have is,
DIT as o=myorg,user=me,password=personal,lname=vasavada,fname=maulin sort of LDAP storage and then check against that DIT when user logs in...
please let me know if i am not making any sense here..
regards
maulin
Cindy Glass
"The Hood"
Sheriff

Joined: Sep 29, 2000
Posts: 8521
The slapd.conf holds some configuration information for your LDAP installation. One of the things that it has is a credentials attribute that holds the administrative password to the server.
If you don't have the proper credentials, you can't update an entry in the LDAP.


"JavaRanch, where the deer and the Certified play" - David O'Meara
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
hi Cindy
okay. so more questions,
1. if i want to update LDAP content (e.g. change home address for some user) i need authorized password to be provided in SECURITY_CREDENTIALS assuming we are using Simple authentication.
Now, this "authorized" password would follow the ACL defined by the LDAP server. so if two users - Admin1 and SuperUser1 are authorized to update some node in DIT (and its children) then i have to use any of those two as SECURITY_CREDENTIALS right?
2. if i want to just "read" the content in the LDAP (to list all users or a profile for a particular user) then also the SECURITY_CREDENTIALS i use would go through the ACL as in first step, right? So, if "Only" Admin1 and SuperUser1 are assigned rights to even "read" any user profile then i have to use any of those two...
3. does, by default, users have "read" rights to their profile node in LDAP?
e.g. if i'm a user=maulin in LDAP (not an admin in any sense) and i have a node for myself that is,
o=usa, ou=ca, ou=la, cn=maulin (tho shd be read in reversed order as per LDAP convention) then,
can i use my password to query my data in LDAP via JNDI program?

hope now i make more sense.
the problem is i've never been ldap admin (or any other admin in any respect) so i see ldap fromthe end user perspective who needs to use LDAP via JNDI and build an application that can manage user profiles...
regards
maulin
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
hi Cindy,
also i am not sure if all of these would be better answered in "Security" forum...if u feel so you can put this little novice kid amidst "big security guards" to feel scared (just kiddin...)
and thanks for the help so far...
regards
maulin
Cindy Glass
"The Hood"
Sheriff

Joined: Sep 29, 2000
Posts: 8521
The programmer needs to provide the password (hopefully encrypted) in the class that wants to read or update the ldap data. REAL people don't use that field .
Now that you mention it you might get better answers in that forum.
OK - I will move this.
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
anybody there?
regards
maulin
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: LDAP user authentication