LDAP验证的用户名和密码 [英] Username and Password for LDAP Authentication
问题描述
一个客户问我们是否支持单点登录(SSO)的LDAP身份验证.我在Google周围搜索,并学到了一些有关LDAP的知识.
A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
但是,我不知道是否应该对将作为应用程序提供给我的某些凭据运行bind
操作,然后查找尝试登录的用户,否则我应该呼叫
However, I don't understand whether I should run the bind
operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind
on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
谢谢.
推荐答案
分三个步骤完成:
- 以具有足够权限搜索目录的管理用户身份绑定.
- 在目录中搜索用户.这是必要的,因为用户不会提供他的整个DN:他将提供有关他自己的其他信息,例如他的电子邮件地址,屏幕名称"/moniker/alias等.
- 使用提供的密码凭据将该用户绑定.
如果其中任何一个失败,即包括(2),则为登录失败,请注意,您不会告诉用户哪一步:您不会告诉他没有这样的用户"或无效的密码".您只需告诉他无效的凭据"或两者均类似.否则,您会将信息泄漏给攻击者.
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.
这篇关于LDAP验证的用户名和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!