Previous | Next | Trail Map | Tips for LDAP Users | Security

LDAP Authentication

In the LDAP, authentication information is supplied in the "bind" operation. In LDAP v2, a client initiates a connection with the LDAP server by sending the server a "bind" operation containing the authentication information.

In LDAP v3, the "bind" operation serves the same purpose but is optional, and may be sent at anytime, possibly more than once, during the connection. A client that sends an LDAP request without doing a "bind" is treated as an anonymous client (see The Anonymous section for details). A client can send a "bind" request in the middle of a connection to change its identity. If the "bind" request is successful, all outstanding requests on the connection that used the old identity are discarded and the connection is associated with the new identity.

The authentication information supplied in the "bind" operation depends on the authentication mechanism that the client chooses. See the next section for a discussion of the authentication mechaisms.

Authenticating to the LDAP Using the JNDI

In the JNDI, authentication information is specified in environment properties. When you create an initial context using the InitialDirContext(in the API reference documentation) class, you supply a set of environment properties, some of which might contain authentication information. The following environment properties specify the authentication information: When the initial context is created, the underlying LDAP service provider extracts the authentication information from these environment properties and uses the LDAP "bind" operation to pass them to the server.

The following example shows how a client authenticates using a simple clear text password to an LDAP server:

// Set up environment for creating initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, 
    "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create initial context
DirContext ctx = new InitialDirContext(env);

// ... do something useful with ctx

Using Different Authentication Information for A Context

If you want to use different authentication information for an existing context, you can use the methods Context.addToEnvironment()(in the API reference documentation) and Context.removeFromEnvironment()(in the API reference documentation) to update the environment properties containing the authentication information. Subsequent invocations of methods on the context will use the new authentication information when communicating with the server.

The following example shows how the authentication information of a context is changed to "none" after the context has been created.

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create initial context
DirContext ctx = new InitialDirContext(env);

// ... do something useful with ctx

// Change to using no authentication
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");

// ... do something useful with ctx

Authentication Failures

Authentication can fail for a number of reasons.

If you supply incorrect authentication information, such as an incorrect password or principal name, the AuthenticationException(in the API reference documentation) is thrown. Here's an example that is a variation of the example above. This time, an incorrect password is supplied and causes the authentication to fail.

// Authenticate as S. User and give incorrect password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "notmysecret");
This fails with the AuthenticationException:
javax.naming.AuthenticationException: [LDAP: Invalid Credentials]
        at java.lang.Throwable.(Compiled Code)
        at java.lang.Exception.(Compiled Code)
	...

Because different servers support different authentication mechanisms, you might be requesting for an authentication mechanism that the server does not support. In that case, an AuthenticationNotSupportedException(in the API reference documentation) would be thrown. Here's an example that is a variation of the example above. This time, an unsupported authentication mechanism ("custom") is supplied and causes the authentication to fail.

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "custom");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");
This fails with the AuthenticationNotSupportedException:
javax.naming.AuthenticationNotSupportedException: Unsupported value for java.naming.security.authentication property.
        at java.lang.Throwable.(Compiled Code)
        at java.lang.Exception.(Compiled Code)
        at javax.naming.NamingException.(Compiled Code)
	...

Note that the Netscape Directory Server 3.11 sends back the wrong error code when an authentication mechanism it does not support is requested, resulting in a CommunicationException(in the API reference documentation) being thrown instead.


Previous | Next | Trail Map | Tips for LDAP Users | Security