如何为使用 LDAP 的用户进行密码验证? [英] How to do password authentication for a user using LDAP?
问题描述
我正在编写一个客户端应用程序(使用 OpenLDAP 库),用户通过 LDAP 服务器对其进行身份验证.
I am writing a client app (using OpenLDAP libraries) for which the users gets authenticated via LDAP server.
以下是无法比较用户的 userPassword 的示例程序,硬编码.
Here is the sample, hard coded, program that fails to compare userPassword for a user.
#include <stdio.h>
#include <ldap.h>
#define LDAP_SERVER "ldap://192.168.1.95:389"
int main( int argc, char **argv ){
LDAP *ld;
int rc;
char bind_dn[100];
LDAPMessage *result, *e;
char *dn;
int has_value;
sprintf( bind_dn, "cn=%s,dc=ashwin,dc=com", "manager" );
printf( "Connecting as %s...
", bind_dn );
if( ldap_initialize( &ld, LDAP_SERVER ) )
{
perror( "ldap_initialize" );
return( 1 );
}
rc = ldap_simple_bind_s( ld, bind_dn, "ashwin" );
if( rc != LDAP_SUCCESS )
{
fprintf(stderr, "ldap_simple_bind_s: %s
", ldap_err2string(rc) );
return( 1 );
}
printf( "Successful authentication
" );
rc = ldap_search_ext_s(ld, "dc=ashwin,dc=com", LDAP_SCOPE_SUBTREE, "sn=ashwin kumar", NULL, 0, NULL, NULL, NULL, 0, &result);
if ( rc != LDAP_SUCCESS ) {
fprintf(stderr, "ldap_search_ext_s: %s
", ldap_err2string(rc));
}
for ( e = ldap_first_entry( ld, result ); e != NULL; e = ldap_next_entry( ld, e ) ) {
if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
printf( "dn: %s
", dn );
has_value = ldap_compare_s( ld, dn, "userPassword", "secret" );
switch ( has_value ) {
case LDAP_COMPARE_TRUE:
printf( "Works.
");
break;
case LDAP_COMPARE_FALSE:
printf( "Failed.
");
break;
default:
ldap_perror( ld, "ldap_compare_s" );
return( 1 );
}
ldap_memfree( dn );
}
}
ldap_msgfree( result );
ldap_unbind( ld );
return( 0 );
}
userPassword 如果它在 LDAP 服务器中是普通的,它可以工作.如果是 MD5 加密的相同密码,ldap_compare_s 会失败.那是因为我传递明文密码进行比较.
userPassword if it is plain in LDAP server, it works. the same password if it is MD5 encrypted, ldap_compare_s fails. And that's because I am passing the cleartext password to compare.
如何让这个示例程序工作?
How do I get this sample program working?
我这样做对吗?使用 ldap_compare_s
通过 LDAP 验证用户是否正确?
Am I doing this right? Is it correct to use ldap_compare_s
to authenticate user via LDAP?
P.S:这是我第一次使用 LDAP.
P.S: This is the first time I am working on LDAP.
推荐答案
这不是对 LDAP 执行密码检查的正确方法,您应该尝试使用 dn
进行绑定从第一次搜索和提供的密码中获得.
This is not really the right way to perform a password check on LDAP, what you should do is attempt to bind using the dn
obtained from the first search and the password supplied.
即您执行第二次绑定以验证密码.如果绑定失败则密码错误.
i.e. you perform a second bind to verify the password. If the bind fails then the password is incorrect.
类似于:
if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
printf( "dn: %s
", dn );
/* rebind */
ldap_initialize(&ld2, LDAP_SERVER);
rc = ldap_simple_bind_s(ld2, dn, "secret");
printf("%d
", rc);
if (rc != 0) {
printf("Failed.
");
} else {
printf("Works.
");
ldap_unbind(ld2);
}
ldap_memfree( dn );
}
出于安全原因,表明用户名不正确(即搜索用户帐户失败)通常被认为是过度披露,应避免.
For security reasons indicating that the username is incorrect (i.e. the search for the user account fails) is generally considered excessive disclosure, and should be avoided.
这篇关于如何为使用 LDAP 的用户进行密码验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!