LDAP authentication with restricted security principal
Lately, I have setting up Atricore’s ID Provider with an LDAP authentication. I had a specific issue with LDAP authentication that took me a couple of days to figure out. In LDAP terminology, you can use a
BINDDN to authenticate and search for users and objects in an LDAP. Basically, it’s also is a user with specific permissions; e.g. authenticate a user and search for user properties. However, it seems that it is a common practice that this specific LDAP user is usually restricted to access the user’s password. On the other, the common libraries and frameworks in Java that connect to LDAP use a search filter to fetch user’s basic properties such as username and password and then try to attempt the authentication for the user. This approach, however, creates a problem that since
BINDN user is not allowed to fetch the user’s password, it fails to continue to authenticate the user. Usually, what it is done is that to add more specific ACLs on LDAP configuration that such applications can have access to read the user’s password. And this will resolve the issue. On a side note, I am also starting to like Apache DS.