用户认证是否需要 LDAP 绑定帐户? [英] Is LDAP binding account required for user authentication?

问题描述

我正在为我的组织创建一个门户，我希望用户使用其组织帐户的 ID 和密码登录到该门户.

I am making a portal for my organization in which I want the user to login to that portal with their organization acoount's ID and password.

为此，我在 Java 中使用 LDAP 身份验证.

For this purpose I am using LDAP authentication with Java.

看了几篇文章，我发现认证的步骤如下:

After reading through quite a few articles, I found the following steps for authentication:

1. 使用某些绑定或技术帐户绑定到 LDAP 服务器

1. bind to LDAP server using some binding or technical account

在 LDAP 服务器中搜索尝试登录的用户详细信息

search for the user details in LDAP server who is trying to log in

尝试使用用户的专有名称和密码再次绑定到服务器.

try to bind to server again with user's Distinguished name and password.

问题 1:就这些了吗?

上述过程是否完全正确，还是因为我是新手程序员而遗漏了一些信息?绑定在概念上是什么意思?

不知道绑定账号有什么需要?如果我直接尝试将LDAP服务器与用户的凭据绑定并且成功，那么我可以给他访问权限吗?

I wonder what is the need of binding account? If directly I try to bind the LDAP server with user's credential and if it is successful, then can I give him the access?

我有 JXplorer 工具，我可以在其中使用我自己组织的凭据连接到 LDAP 服务器.所以我在想，首先使用其他帐户绑定到 LDAP 服务器需要什么?

I have JXplorer tool in which i am able to connect to LDAP server with my own organization's credential. So I was thinking what is the need of first binding to LDAP server with some other account?

推荐答案

问题1-上述过程是否完全正确

question 1- Is the above process exactly correct

是的.

问题2-我想知道绑定账号需要什么?

question 2- I wonder what is the need of binding account?

是的.您需要搜索目录才能找到用户DN，并且您不希望一般未经身份验证的公众能够搜索目录.

Yes. You need to search the directory to find the user DN, and you don't want the general unauthenticated public to be able to search the directory.

如果我直接尝试将ldap服务器与用户的凭据绑定，如果成功，那么我可以给他访问权限吗?

if directly I try to bind the ldap server with user's credential and if it is successful, then can I give him the access?

您没有用户的凭据开始.你有他的登录名，或电子邮件地址，或 CN，或他用来标识自己的东西，但这只是某些条目的属性.您需要找到该条目并获取其 DN 以进行身份​​验证.

You don't have the user's credentials to start with. You have his login name, or email address, or CN, or something that he uses to identity himself, but which is only an attribute of some entry. You need to find that entry and get its DN for authentication.

我有 jexplorer 工具，我可以在其中使用我自己组织的凭据连接到 LDAP 服务器.所以我在想首先用其他帐户绑定到 LDAP 服务器需要什么?

I have jexplorer tool in which I am able to connect to LDAP server with my own organization's credentials. So i was thinking what is the need of first binding to LDAP server with some other account?

见上文.您不希望用户必须像使用 JXplorer 那样记住他的整个 DN.

See above. You don't want the user to have to remember his entire DN the way you do with JXplorer.

这篇关于用户认证是否需要 LDAP 绑定帐户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！