<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CCPL HEADER START
|
!
|
! This work is licensed under the Creative Commons
|
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
|
! To view a copy of this license, visit
|
! http://creativecommons.org/licenses/by-nc-nd/3.0/
|
! or send a letter to Creative Commons, 444 Castro Street,
|
! Suite 900, Mountain View, California, 94041, USA.
|
!
|
! You can also obtain a copy of the license at
|
! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! If applicable, add the following below this CCPL HEADER, with the fields
|
! enclosed by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CCPL HEADER END
|
!
|
! Copyright 2011 ForgeRock AS
|
!
|
-->
|
<chapter xml:id='chap-authenticating'
|
xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
|
xmlns:xlink='http://www.w3.org/1999/xlink'
|
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
|
<title>Authenticating To the Directory</title>
|
|
<para>When your client application connects to the directory, the first
|
operation to perform is a bind operation. The bind operation authenticates
|
the client to the directory.</para>
|
|
<section>
|
<title>Simple Authentication</title>
|
|
<para>You perform simple authentication by binding with the distinguished
|
name of a user's directory entry and the user's password. For this reason
|
simple authentication over unsecure network connections should be done only
|
in the lab. If your real end users are providing their passwords, your
|
application must use simple authentication only if the network is
|
secure.</para>
|
|
<para>To bind using Barbara Jensen's identity and simple authentication,
|
for example, your application would provide the DN
|
<literal>uid=bjensen,ou=People,dc=example,dc=com</literal> with the
|
password <literal>hifalutin</literal>.</para>
|
|
<para>The directory stores the password value used for simple authentication
|
in binary form on the <literal>userPassword</literal> attribute of the entry.
|
In other words, for the purposes of your application the password is not a
|
string, but instead an array of bytes. Typically the directory is further
|
configured to store only hashed values of user passwords, rather than plain
|
text versions. Thus even if someone managed to read the stored password
|
values, they would still have to crack the hash in order to learn the
|
actual passwords. When your application performing simple authentication
|
sends the password value, the directory server therefore hashes the password
|
value, and then compares the hashed result with the value of the
|
<literal>userPassword</literal> on the user entry. If the values match,
|
then the directory authenticates the user. Once the user has authenticated,
|
the directory determines authorization for operations on the connection
|
based on the users identity.</para>
|
|
<programlisting language="java">// LDAP simple authentication
|
|
final LDAPConnectionFactory factory = new LDAPConnectionFactory(
|
hostName, port);
|
Connection connection = null;
|
|
try
|
{
|
connection = factory.getConnection();
|
connection.bind(userName, password.toCharArray());
|
|
System.out.println("Authenticated as " + userName + ".");
|
|
// Perform LDAP operations here.
|
}
|
|
// Catch any exceptions here, and then close the connection.
|
|
finally
|
{
|
if (connection != null)
|
{
|
connection.close();
|
}
|
}</programlisting>
|
|
<para>If the password values do not match, a directory might nevertheless
|
authenticate the client application. The LDAP specifications say that in this
|
case, however, the directory authenticates the user as anonymous, therefore
|
no doubt with fewer rights than the normal user, and surely fewer rights
|
than an administrator.</para>
|
</section>
|
|
<section>
|
<title>Start TLS and SSL Authentication</title>
|
|
<para>TODO</para>
|
</section>
|
|
<section>
|
<title>SASL Authentication</title>
|
|
<para>TODO</para>
|
</section>
|
</chapter>
|
