如何使用LDAP对用户进行密码身份验证? [英] How to do password authentication for a user using LDAP?

问题描述

我正在编写一个客户端应用程序(使用 OpenLDAP 库)，该应用程序将通过LDAP服务器对用户进行身份验证.

I am writing a client app (using OpenLDAP libraries) for which the users gets authenticated via LDAP server.

这里是样本程序，没有为用户比较userPassword的硬编码程序.

Here is the sample, hard coded, program that fails to compare userPassword for a user.

#include <stdio.h>
#include <ldap.h>
#define LDAP_SERVER "ldap://192.168.1.95:389"

int main( int argc, char **argv ){
    LDAP        *ld;
    int         rc;
    char        bind_dn[100];
    LDAPMessage *result, *e;
    char *dn;
    int has_value;

    sprintf( bind_dn, "cn=%s,dc=ashwin,dc=com", "manager" );
    printf( "Connecting as %s...\n", bind_dn );

    if( ldap_initialize( &ld, LDAP_SERVER ) )
    {
        perror( "ldap_initialize" );
        return( 1 );
    }

    rc = ldap_simple_bind_s( ld, bind_dn, "ashwin" );
    if( rc != LDAP_SUCCESS )
    {
        fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) );
        return( 1 );
    }

    printf( "Successful authentication\n" );

    rc = ldap_search_ext_s(ld, "dc=ashwin,dc=com", LDAP_SCOPE_SUBTREE, "sn=ashwin kumar", NULL, 0, NULL, NULL, NULL, 0, &result);
    if ( rc != LDAP_SUCCESS ) {
        fprintf(stderr, "ldap_search_ext_s: %s\n", ldap_err2string(rc));
    }

    for ( e = ldap_first_entry( ld, result ); e != NULL; e = ldap_next_entry( ld, e ) ) {
        if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
            printf( "dn: %s\n", dn );
            has_value = ldap_compare_s( ld, dn, "userPassword", "secret" ); 
            switch ( has_value ) { 
                case LDAP_COMPARE_TRUE: 
                    printf( "Works.\n"); 
                    break; 
                case LDAP_COMPARE_FALSE: 
                    printf( "Failed.\n"); 
                    break; 
                default: 
                    ldap_perror( ld, "ldap_compare_s" ); 
                    return( 1 ); 
            } 
            ldap_memfree( dn );
        }
    }

    ldap_msgfree( result );
    ldap_unbind( ld );
    return( 0 );
}

userPassword (如果在LDAP服务器中是普通密码)，则可以使用. 如果使用MD5加密，则使用相同的密码， ldap_compare_s 将失败.那是因为我要传递明文密码进行比较.

userPassword if it is plain in LDAP server, it works. the same password if it is MD5 encrypted, ldap_compare_s fails. And that's because I am passing the cleartext password to compare.

如何使该示例程序正常工作?

How do I get this sample program working?

我这样做正确吗?使用ldap_compare_s通过LDAP认证用户是否正确?

Am I doing this right? Is it correct to use ldap_compare_s to authenticate user via LDAP?

P.S:这是我第一次使用LDAP.

P.S: This is the first time I am working on LDAP.

推荐答案

这不是在LDAP上执行密码检查的正确方法，您应该尝试使用从第一次搜索中获得的dn进行绑定以及提供的密码.

This is not really the right way to perform a password check on LDAP, what you should do is attempt to bind using the dn obtained from the first search and the password supplied.

即您执行第二次绑定以验证密码.如果绑定失败，则密码不正确.

i.e. you perform a second bind to verify the password. If the bind fails then the password is incorrect.

类似于:

    if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
        printf( "dn: %s\n", dn );
        /* rebind */
        ldap_initialize(&ld2, LDAP_SERVER);
        rc = ldap_simple_bind_s(ld2, dn, "secret");
        printf("%d\n", rc);
        if (rc != 0) {
            printf("Failed.\n");
        } else {
            printf("Works.\n");
            ldap_unbind(ld2);
        }
        ldap_memfree( dn );
    }

出于安全原因，表明用户名不正确(即搜索用户帐户失败)，通常被视为过度披露，应避免使用.

For security reasons indicating that the username is incorrect (i.e. the search for the user account fails) is generally considered excessive disclosure, and should be avoided.

这篇关于如何使用LDAP对用户进行密码身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！