|
|
Security |
Simple authentication consists of sending the LDAP server the fully qualified distinguished name of the client (user) and the client's clear-text password (see RFC 2251 and draft-ietf-ldapext-authmeth-04.txt). There are security problems with this mechanism because the password can be read from the network. To avoid exposing the password in this way, you can use the simple authentication mechanism within an encrypted channel (such as SSL) if that is supported by the LDAP server.Both the LDAP v2 and v3 support simple authentication.
To use the simple authentication mechanism, you must set the three authentication environment properties as follows:
- Context.SECURITY_AUTHENTICATION
("java.naming.security.authentication")
- "simple"
- Context.SECURITY_PRINCIPAL
- The fully qualified distinguished name of the entity being authenticated (e.g., "cn=S. User, ou=NewHires, o=JNDITutorial"). It is of type java.lang.String.
See the example earlier in this section that illustrates how to use simple authentication.
- Context.SECURITY_CREDENTIALS
- The password of the principal (e.g., "mysecret"). It is of type java.lang.String, char array (char[]), or byte array (byte[]). If the password is a java.lang.String or a char array, it is encoded using UTF-8 for the LDAP v3, and using ISO-Latin-1 for the LDAP v2 for transmission to the server. If the password is a byte[], it is transmitted as is to the server.
Note: If you supply an empty string, an empty byte/char array or null to the Context.SECURITY_CREDENTIALS environment property, the authentication mechanism will be "none" regardless of the setting of Context.SECURITY_AUTHENTICATION. This is because the LDAP requires the password to be nonempty for doing any type of authentication and so the protocol automatically converts the authentication to "none" if a password is not supplied.
|
|
Security |