how to authenticate a user in Ldap using password

Question

package com.ecom.data.access.controller;


import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;

import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.opends.server.admin.client.ldap.LDAPConnection;
import org.opends.server.types.ResultCode;
import org.springframework.ldap.AuthenticationException;
import org.springframework.ldap.NamingException;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.Controller;

import com.unboundid.ldap.sdk.BindRequest;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.SimpleBindRequest;



public class LoginController implements Controller  
{

    public static String usersContainer = "dc=example,dc=com";



    public ModelAndView handleRequest(HttpServletRequest request,HttpServletResponse response) throws Exception
    {

        String givenName1=request.getParameter("name");
        String userpassword1=request.getParameter("password");  
            System.out.println("Ldap wellcome");

        final SimpleBindRequest bindRequest=new SimpleBindRequest(givenName1, userpassword1);
        System.out.println("before");
        System.out.println(bindRequest);
        Hashtable<String, Object> env = new Hashtable<String, Object>(11);// Here we set some connection Hashtable for JNDI
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 
        env.put(Context.PROVIDER_URL, "ldap://localhost:389");
        env.put( Context.SECURITY_PRINCIPAL, "cn=Directory Manager" );
        env.put( Context.SECURITY_CREDENTIALS, "admin" );
        DirContext ctx = null;

        NamingEnumeration<?> results = null;
        try {
            ctx = new InitialDirContext(env);
            SearchControls controls = new SearchControls();
            controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            String lookup="givenName="+givenName1+",dc=example,dc=com";
            String obj =  "(objectclass=*)";
            results=ctx.search(lookup, obj, controls);
            while (results.hasMore()) 
            {
                SearchResult searchResult = (SearchResult) results.next();
                Attributes attributes = searchResult.getAttributes();
                 Attribute attruser = attributes.get("givenName");
                 Attribute attrpwd=attributes.get("uid");
                 Attribute org=attributes.get("o");
                  String cn = (String)attruser.get();
                  String cn1 = (String)attrpwd.get();
                  String cn2 = (String)org.get();
             List<String> li = new ArrayList<String>();
             li.add(cn);
             li.add(cn1);
             li.add(cn2);
              if(givenName1.equals(cn) && userpassword1.equals(cn1))
                {

                    ModelAndView modelSuccess=new ModelAndView("loginPage");
                    modelSuccess.addObject("msgSuccess", li);
                    return modelSuccess;
                    }
                   else
                   {
                    ModelAndView modelError=new ModelAndView("errorPage");
                    modelError.addObject("msgError", "Invalid UserName and Password");

                    return modelError;
                    }
                   }

                } catch (Throwable e) 
                {
                }    finally 
                {
                    if (results != null) 
                    {
                        try 
                        {
                            results.close();

                        } catch (Exception e) 
                        {
                        }
                    }
                    if (ctx != null) {
                        try {
                            ctx.close();
                            } catch (Exception e) {
                            }
                    }
                }
            return null;
        }

}

I am using Spring 3. I am working on LDAP. I need to do a user is authenticate if his user name and password is correct. I have many fields in my OpenDs. If I am using given name and first name then it will authenticate, but if I use password then it's not authenticated because the password stored in openDs is encrypted form. So I need to match the password. Please give me some suggestion for this. I am using the code as above.

Answer 1

The password should be stored as a cryptographic digest called a "hash", often in the userPassword or authPassword attribute. The LDAP client authenticates by changing the authorization state of the session using a BIND request. A SimpleBindRequest has the distinguished name (primary key) of the account which is to be used as the authorization state of the session and the password in clear-text.

The SimpleBindRequest should be transmitted to the server via a secure connection (either SSL or a non-secure connection promoted using the StartTLS extended request). Other methods (such as DIGEST-MD5 or CRAM-MD5 are unsafe or less secure because the server must be able to decrypt a password, therefore the password must be stored in a reversible encryption. Other safe methods include GSSAPI or the EXTERNAL SASL mechanism, but the SimpleBindRequest over a secure connection is the simplest.

The LDAP directory server verifies the presented password and if the verification is successful, changes the authorization state of the session and then returns a BIND response to the client. The BIND response contains a result code - if that result code is zero (0), then the authentication (and the BIND operation) were successful.

LDAP client should not present pre-encoded passwords to LDAP servers because this prevents the management of password history and other aspects of password quality management.