Best practices for LDAP authentication

Introduction

You will find here some best practices to code LDAP authentication in your applications:

  • Use a filter to recover user DN: do not build DN with a concatenation of login and branch

  • Use service account to query LDAP: some directories will not allow anonymous access

Search and Bind

Here is a standard LDAP authentication workflow:

  1. A bind is done with a Directory Service Account (that has read rights on user entries)

  2. A search is done with the user identifier in the filter, for example:

Search base

ou=users,dc=example,dc=com

Search filter

(&(uid=<user identifier>)(objectClass=person))

Search scope

one

Search attributes

uid

  1. The DN of the user is found in the result. If more of one entry is returned, or no entry is returned, there should be an error.

  2. A bind is done with the DN found and the password submitted by the user. If the operation fails (error code 49), the password is wrong.