原文地址:Authentication options | Basic authorization
If you want to use simple binds with user DN and password within a Java component, in order to authenticate users programatically, in practice one problem arises: Most users do not know their DN. Therefore they will not be able to enter it. And even if they know it, it would be frequently very laborious due to the length of the DN. It would be easier for a user if s/he only has to probvide a short, unique ID and the password, like in this web form:
Usually the ID is an attribute within the user's entry. In our sample data (Seven Seas), each user entry contains the uid attribute, for instance uid=hhornblo for Captain Hornblower:
dn: cn=Horatio Hornblower,ou=people,o=sevenSeas objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: top cn: Horatio Hornblower description: Capt. Horatio Hornblower, R.N givenname: Horatio sn: Hornblower uid: hhornblo mail: hhornblo@royalnavy.mod.uk userpassword: {SHA}nU4eI71bcnBGqeO0t9tXvY1u5oQ=
But how to authenticate a user who provides "hhornblo"/"pass" instead of "cn=Horatio Hornblower,ou=people,o=sevenSeas"/"pass" with the help of ApacheDS?
An algorithm
In order to accomplish this task programmatically, one option is to perform the following steps
Arguments
- uid of a user (e.g. "hhornblo")
- password proclaimed to be correct for the user
Steps
- Bind to ApacheDS anonymously, or with the DN of a technical user. In both cases it must be possible to search the directory afterwards (authorization has to be configured that way)
- Perform a search operation with an appropriate filter to find the user entry for the given ID, in our case "(&(objectClass=inetorgperson)(uid=hhornblo))"
- If the search result is empty, the user does not exist -- terminate
- If the search result contains more than one entry, the given ID is not unique, this is likely a data error within your directory
- Bind to ApacheDS with the DN of the entry found in the previous search, and the password provided as argument
- If the bind operation fails, the password is wrong, and the result is false (not authenticated)
- If the bind is successful, authenticate the user