How can I connect to LDAP from a smartphone without hardcoding the password?

Question

Our Android app connects to an LDAP db for authentication and user data (email address, phone number, etc.). Until now, the app has connected to a piece of middleware that opens the connection to LDAP and performs operations for the app. The app just sends a basic request (like "Authenticate the user, and grant them the role if they don't have it"), and the middleware is set up to handle only those possible requests.

Now, we've been asked to skip the middleware, and connect to LDAP straight from the app. The issue is that, as far as I can see, there's no way to not hardcode the password of the master LDAP user in the app, and I know .apk files are easy to decompile.

Is there any way to securely connect directly to the LDAP from a client app on phones belonging to the general public without using middleware?

Answer 1

The basic idea is that you search for the user anonymously, with no password, and then (re-)connect (=LDAP bind) using the user's password, which you ask him for, rather than anything hard-coded into the application.

Answer 2

I assume you are also using SSL/TLS for the communication? If not please do.