LDAP authentication using UnboundID : which security?

Question

I'm using unboundid primitives to authenticate user from an android application on an Active Directory with the following code :

public boolean getConnection() {
    LDAPConnection connection = new LDAPConnection();
    try {
        connection.connect("my.ldap.com", 389);
        SearchResult searchResult = connection.search("XXX",SearchScope.SUB, "(uid="+username+")");
        if(searchResult.getEntryCount() != 1) {
            return false;
        }
        else {
            String dn = searchResult.getSearchEntries().get(0).getDN();

            try {
                connection = new LDAPConnection("XXX", 389, dn, password);
                return true;
            }
            catch (LDAPException e) {
                return false;
            }
        }
    } catch (LDAPException e) {
        e.printStackTrace();
    }
    return true;
}

My question is : since the password is, in that function, clearely readable, do you know if and how it's encrypted to be "send" to the LDAP to be compared with the one in the AD ?

Answer 1

A simple bind request, like the one you're using, does not do anything to protect the password. In order to ensure that it's not exposed to anyone who might be able to observe the communication between the client and the server, you should protect that communication with something like SSL or StartTLS.

There are other authentication mechanisms (like the DIGEST-MD5 SASL mechanism, which I believe that Active Directory supports) that do protect the password even over an unencrypted connection. Unfortunately, it's not easy to use those authentication mechanisms on Android because the Android API doesn't include the necessary SASL support.