Check LDAP user authentication

LDAP-user-authentication

Make use of (Lightweight Directory Access Protocol) LDAP user authentication to validate the credentials submitted by the user.

LDAP is mainly used in Microsoft’s Active Directory, but it can also be used with other tools like; Open LDAP, Red Hat Directory Servers, and IBM Tivoli Directory Servers for its open and cross-platform protocol.

The LDAP directories store user, group, and permission information and share that with applications in the enterprise. Here you will see how to configure it in LdapAuth and its mechanism.

The user’s authentication with an LDAP directory is a two-step process, so let’s see how:

Step 1: Resolve the username to a directory entry

A distinguished name (DN) identifies user entries in a directory, and it follows a path-like structure from the directory root.

uid=alice,ou=people,dc=wonderland,dc=net

To authenticate a user with an LDAP directory, first, you have to get their DN and password. Also, you can log in with a username or email id and don’t want to remember the DN of their directory entry.

Solve these DN resolution issues by logging in and then search the name or email aspect of all user entries to get the matching DN entry. Since directories use very effective indexing and caching, so these searches are usually quick. The UID and email attributes are searched by default in the LdapAuth setup.

The user identifier entered in the login form replaces with the %u placeholder:

ldapAuth.dnResolution.searchFilter=(|(uid=%u)(mail=%u))

The search filter for only UID search is:

ldapAuth.dnResolution.searchFilter=(uid=%u)

The search filter for UID, email, and employee number search is:

ldapAuth.dnResolution.searchFilter = (|(uid=%u)(mail=%u)(employeeNumber=%u))

Remember these two important points while configuring DN resolution and adding new user entries to the directory:

  1. The login attributes (username, email, etc.) must be unique. If two entries are discovered with the same identifying attribute, then such email authentication will be denied immediately.
  2. Ensure each user who is requested to log in has a specified attribute for the identifying attribute. Consider if any users may log in with their email address, and ensure all accounts have a given email attribute. Otherwise, the authentication will fail.

In the authentication response, the LdapAuth web API does not provide the reason for the login failure. Check the service logs to resolve situations when a user is still unable to connect despite entering the correct username and password.

If login is denied due to an invalid username, the log will show as follows:

2012-10-01 10:52:51,460 INFO – user.auth: username=tom authenticated=false message=Invalid username

If the username was resolved successfully, but the password was inaccurate:

2012-10-01 10:55:05,662 INFO – user.auth: username=alice
DN=uid=alice,ou=people,dc=wonderland,dc=net authenticated=false message=Invalid password

Once the user’s directory entry DN has successfully resolved, we can move to the user password checking step.

Step 2: User Password Validation

The LDAP command called bind is used to check your password. When you check the credentials a connection will be opened to the directory server, and a request will be sent to authenticate the connection bypassing its entry DN and password as a particular user.

DN:uid=alice,ou=people,dc=wonderland,dc=net password:secret

The directory server will return success if the credentials are correct if not it will return LDAP error Invalid credentials (code 49).

You need to note few things here:

You need to define the password attribute while you log in because the name of the attribute varies in different tools.

For example; If you’re using a standard directory schema, the attribute will be userPassword. If you are using MS Active Directory the name of the attribute will be unicodePwd.

Therefore ensure every user logins with a defined password attribute.

Since the password values are often hashed and are double protected which makes them write-only, you need the bind command to authenticate and also remember that password is typically case sensitive.

The log files record every login attempt which will help to troubleshoot when authentication is not working as expected.

Hope this was quite helpful to validate the user authentication using LDAP. For tech assistance, you can get in touch with us.

To get more updates you can follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox