authenticate user in LDAP with email and password

Question

I am new to LDAP API. I am able to connect to a LDAP server and search the user. How would I authenticate a user with email/password using UnboundID LDAP API ?

I have not seen any authentication in LDAP which uses email and password to authenticate user?

Is it Possible to authenticate the user using email and password

What I am doing to authenticate the user given as below

1. Searching below the USERS Directory and matching Email and Finding his DN

2. Based on DN connecting the user and if Connection Successful, Authenticate the user or Execption occurs in Connecting then user is not Authenticated

Is there right way to authenticate the User?

Answer 1

Using the UnboundID LDAP SDK, this simple piece of code searches for the entry. If there is one entry that has the known email address, BIND using that DN (the password has to come from someplace else). Nothing happens (authenticated is false) is there is more one entry that matches the search parameters or if no entries match the search parameters. This code assumes that baseObject is dc=example,dc=com, subtree search is required, and the attribute with the email address has an alias mail. The code also assumes there is a bindDN and bindPassword that has sufficient access rights to search for the user with the email address. The email address for which it searches is assumed to be babs.jensen@example.com.

Exceptions are ignored throughout.

String baseObject = "dc=example,dc=com";
String bindDN = "dn-with-permission-to-search";
String bindPassword = "password-of-dn-with-permission-to-search";

// Exceptions ignored.
LDAPConnection ldapConnection = 
  new LDAPConnection(hostname,port,bindDN,bindPassword);

String emailAddress = "babs.jensen@example.com";
String filterText = String.format("mail=%s",emailAddress);
SearchRequest searchRequest = new SearchRequest(baseObject,
  SearchScope.SUB,filterText,"1.1");
SearchResult searchResult = ldapConnection.search(searchRequest);

boolean authenticated = false;
if(searchResult.getEntryCount() == 1)
{
    // There is one entry with that email address
    SearchResultEntry entry = searchResult.getSearchEntries().get(0);

    // Create a BIND request to authenticate. The password has
    // has to come from someplace outside this code
    BindRequest bindRequest =
       new SimpleBindRequest(entry.getDN(),password);
    ldapConnection.bind(bindRequest);
    authenticated = true;
}
else if(searchResult.getEntryCount() > 1)
{
    // more than one entry matches the search parameters
}
else if(searchResult.getEntryCount() == 0)
{
    // no entries matched the search parameters
}

Answer 2

You have to do two steps.

1. Using an administrative login, search the directory for the user.
2. Using that user's DN and the password he supplied, attempt to bind.

If either didn't succeed, either the identity or the password is incorrect.