javaldapteamsite

Using String.equals compare password and authenticate user against LDAP server, Does it make any sense?


I'm working with pretty old, big CMS (TeamSite) and it has an example how to connect it to an LDAP server. I've read the example and it work in very bizarre way. It just store a password in the "userPassword" field as expected but it does the validation manually instead of using the bind command.

This doesn't make sense to me but I can be wrong here as I haven't worked with LDAP servers before. Do you have any idea why somebody would like to manually compare the password instead of using bind?

Here is how the code looks like:

  Attribute attrPassword = attrs.get("userPassword");
  if (attrPassword.size() > 0)
  {
    String storedPassword = new String((byte[])attrPassword.get(0));

    if (password.equals(storedPassword))
    {  
      ///.....

Solution

  • That doesn't make sense to me either. The password in the LDAP shouldn't be the actual password itself, it should be a hash of the password. If you retrieve the field and do a comparison, you need to know what kind of hash it's using and hash the password you're comparing yourself in the same way. It also requires that the userPassword attribute in the LDAP be available for retrieval, which shouldn't be necessary I don't think.

    In short, no... I think you should be using bind.