LDAP: Authorization Identity and BIND


To demonstrate the authorization identity at stages of the life of a connection to an LDAP-compliant server, the following code fragment:

  1. connects and does not authenticate
  2. authenticates successfully
  3. attempts to authenticate but fails
  4. transmits a bind request with empty DN and password

The expected results are:

  1. unauthenticated
  2. authorization ID: cn=RootDn
  3. unauthenticated
  4. unauthenticated

The authorization identity (taken from the response to a Who Am I? extended request) is displayed for each step.

The complete code is here.


    LDAPConnection ldapConnection;
    try
    {
      String format = "%-64s '%s'";

      /*
       * Connect to directory server, do not authenticate the connection
       */
      ldapConnection =
              new LDAPConnection(commandLineOptions.getHostname(),commandLineOptions.getPort());

      WhoAmIExtendedResult whoAmIExtendedResult =
              (WhoAmIExtendedResult)ldapConnection
                      .processExtendedOperation(new WhoAmIExtendedRequest());
      String msg = String.format(format,"Authorization identity after initial connection",
                                 whoAmIExtendedResult.getAuthorizationID());
      System.out.println(msg);



      /*
       * Authenticate (simple bind) using the distinguished name and password specified
       * by the --bindDn and --bindPassword command line options.
       */
      ldapConnection.bind(new SimpleBindRequest(commandLineOptions.getBindDn().toString(),
              commandLineOptions.getBindPassword()));

      whoAmIExtendedResult =
              (WhoAmIExtendedResult)ldapConnection
                      .processExtendedOperation(new WhoAmIExtendedRequest());
      msg = String.format(format,"Authorization identity after simple bind",
                          whoAmIExtendedResult.getAuthorizationID());
      System.out.println(msg);


      /*
       * Transmit a bind request to the server that will not succeed. The
       * authentication state will be set to unauthenticated.
       */
      try
      {
        ldapConnection.bind(new SimpleBindRequest("x","x"));
      }
      catch(LDAPException ldapException)
      {
        // this block deliberately left empty
      }

      whoAmIExtendedResult =
              (WhoAmIExtendedResult)ldapConnection
                      .processExtendedOperation(new WhoAmIExtendedRequest());
      msg = String.format(format,"Authorization identity after unsuccessful authentication attempt",
                          whoAmIExtendedResult.getAuthorizationID());
      System.out.println(msg);


      /*
       * "Reset" the authorization identity of the connection by transmitting
       * a bind request with a zero-length (empty) distinguished name and
       * empty password.
       */
      ldapConnection.bind(new SimpleBindRequest("",""));

      whoAmIExtendedResult =
              (WhoAmIExtendedResult)ldapConnection
                      .processExtendedOperation(new WhoAmIExtendedRequest());
      msg = String.format(format,"Authorization identity after reset",
                          whoAmIExtendedResult.getAuthorizationID());
      System.out.println(msg);

      ldapConnection.close();
    }
    catch(final LDAPException ldapException)
    {
      ldapException.printStackTrace();
      return ldapException.getResultCode();
    }


    return ResultCode.SUCCESS;

The results:


Authorization identity after initial connection
'dn:'

Authorization identity after simple bind
'dn:cn=Directory Manager,cn=Root DNs,cn=config'

Authorization identity after unsuccessful authentication attempt
'dn:'

Authorization identity after reset
'dn:'

references

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, Java, LDAP, UnboundID LDAP SDK and tagged , , , , , , . Bookmark the permalink.

2 Responses to LDAP: Authorization Identity and BIND

  1. Beginner says:

    incomplete code, but thanks

  2. The post now has a link to the file containing the complete display of the BIND sequence.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s