A client asked us if we support LDAP authentication for a Single-Sign-On (SSO). I Googled around and learnt a bit about LDAP.
However, I don't understand whether I should run the bind
operation on some credentials that will be given to me as the app and then look for the user that tried to log in, or I should call the bind
on the credentials the user attempts to login from through our app and as long as the credentials are valid, I consider that the user is logged in.
Thank you.
It's done in three steps:
If any of this fails i.e. including (2), it's a login failure, and note that you don't tell the user which step: you don't tell him 'no such user' or 'invalid password'. You just tell him 'invalid credentials' or similar for both. Otherwise you're leaking information to an attacker.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments