Easy way to test an LDAP User's Credentials
DirectoryLdapOpendsOpendjDirectory Problem Overview
Is there an easy way to test the credentials of a user against an LDAP instance? I know how to write a Java program that would take the 'User DN' and password, and check it against the LDAP instance. However is there any easier way? Specially a method that not only authenticates the user, but also lists all the user's roles.
Directory Solutions
Solution 1 - Directory
ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>
, where binddn
is the DN of the person whose credentials you are authenticating.
On success (i.e., valid credentials), you get Result: Success (0)
. On failure, you get ldap_bind: Invalid credentials (49)
.
Solution 2 - Directory
Use ldapsearch
to authenticate. The opends
version might be used as follows:
ldapsearch --hostname hostname --port port \
--bindDN userdn --bindPassword password \
--baseDN '' --searchScope base 'objectClass=*' 1.1
Solution 3 - Directory
You should check out Softerra's LDAP Browser (the free version of LDAP Administrator), which can be downloaded here :
<http://www.ldapbrowser.com/download.htm>
I've used this application extensively for all my Active Directory, OpenLDAP, and Novell eDirectory development, and it has been absolutely invaluable.
If you just want to check and see if a username\password combination works, all you need to do is create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process :
By clicking "Finish", you'll effectively issue a bind to the server using the credentials, auth mechanism, and password you've specified. You'll be prompted if the bind does not work.
Solution 4 - Directory
Note, if you don't know your full bind DN, you can also just use your normal username or email with -U
ldapsearch -v -h contoso.com -U turiya.gouw@contoso.com -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
Solution 5 - Directory
Authentication is done via a simple ldap_bind command that takes the users DN and the password. The user is authenticated when the bind is successfull. Usually you would get the users DN via an ldap_search based on the users uid or email-address.
Getting the users roles is something different as it is an ldap_search and depends on where and how the roles are stored in the ldap. But you might be able to retrieve the roles during the lap_search used to find the users DN.