How to do password authentication for a user using LDAP?

c++ linux ldap openldap
Ashwin picture Ashwin · Apr 23, 2013 · Viewed 17.3k times · Source

I am writing a client app (using OpenLDAP libraries) for which the users gets authenticated via LDAP server.

Here is the sample, hard coded, program that fails to compare userPassword for a user. 

#include <stdio.h>
#include <ldap.h>
#define LDAP_SERVER "ldap://192.168.1.95:389"

int main( int argc, char **argv ){
    LDAP        *ld;
    int         rc;
    char        bind_dn[100];
    LDAPMessage *result, *e;
    char *dn;
    int has_value;

    sprintf( bind_dn, "cn=%s,dc=ashwin,dc=com", "manager" );
    printf( "Connecting as %s...\n", bind_dn );

    if( ldap_initialize( &ld, LDAP_SERVER ) )
    {
        perror( "ldap_initialize" );
        return( 1 );
    }

    rc = ldap_simple_bind_s( ld, bind_dn, "ashwin" );
    if( rc != LDAP_SUCCESS )
    {
        fprintf(stderr, "ldap_simple_bind_s: %s\n", ldap_err2string(rc) );
        return( 1 );
    }

    printf( "Successful authentication\n" );

    rc = ldap_search_ext_s(ld, "dc=ashwin,dc=com", LDAP_SCOPE_SUBTREE, "sn=ashwin kumar", NULL, 0, NULL, NULL, NULL, 0, &result);
    if ( rc != LDAP_SUCCESS ) {
        fprintf(stderr, "ldap_search_ext_s: %s\n", ldap_err2string(rc));
    }

    for ( e = ldap_first_entry( ld, result ); e != NULL; e = ldap_next_entry( ld, e ) ) {
        if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
            printf( "dn: %s\n", dn );
            has_value = ldap_compare_s( ld, dn, "userPassword", "secret" ); 
            switch ( has_value ) { 
                case LDAP_COMPARE_TRUE: 
                    printf( "Works.\n"); 
                    break; 
                case LDAP_COMPARE_FALSE: 
                    printf( "Failed.\n"); 
                    break; 
                default: 
                    ldap_perror( ld, "ldap_compare_s" ); 
                    return( 1 ); 
            } 
            ldap_memfree( dn );
        }
    }

    ldap_msgfree( result );
    ldap_unbind( ld );
    return( 0 );
}

userPassword if it is plain in LDAP server, it works. the same password if it is MD5 encrypted, ldap_compare_s fails. And that's because I am passing the cleartext password to compare.

How do I get this sample program working?

Am I doing this right? Is it correct to use ldap_compare_s to authenticate user via LDAP?

P.S: This is the first time I am working on LDAP.

Answer

Petesh picture Petesh · Apr 23, 2013

This is not really the right way to perform a password check on LDAP, what you should do is attempt to bind using the dn obtained from the first search and the password supplied.

i.e. you perform a second bind to verify the password. If the bind fails then the password is incorrect.

Something akin to:

    if ( (dn = ldap_get_dn( ld, e )) != NULL ) {
        printf( "dn: %s\n", dn );
        /* rebind */
        ldap_initialize(&ld2, LDAP_SERVER);
        rc = ldap_simple_bind_s(ld2, dn, "secret");
        printf("%d\n", rc);
        if (rc != 0) {
            printf("Failed.\n");
        } else {
            printf("Works.\n");
            ldap_unbind(ld2);
        }
        ldap_memfree( dn );
    }

For security reasons indicating that the username is incorrect (i.e. the search for the user account fails) is generally considered excessive disclosure, and should be avoided.

Related questions

Sleep for milliseconds

I know the POSIX sleep(x) function makes the program sleep for x seconds. Is there a function to make the program sleep for x milliseconds in C++?

Read More
usr/bin/ld: cannot find -l<nameOfTheLibrary>

I'm trying to compile my program and it returns this error : usr/bin/ld: cannot find -l<nameOfTheLibrary> in my makefile I use the command g++ and link to my library which is a symbolic link to my …

Read More
C++ IDE for Linux?

I want to expand my programming horizons to Linux. A good, dependable basic toolset is important, and what is more basic than an IDE? I could find these SO topics: Lightweight IDE for linux and What tools do you use …

Read More