Authentication is the act of confirming the identity of a principal. Authorization is the act of determining whether to grant or to deny access to a principal. Authentication is done to make authorization decisions.
As explained in Configuring Privileges & Access Control, OpenDJ directory server implements fine-grained access control for authorization. What is authorized depends on who is requesting the operation. Directory servers like OpenDJ must first therefore authenticate the principals using the clients before they can authorize or deny access. The LDAP bind operation, where a directory client authenticates with the directory server, is therefore the first LDAP operation in every LDAP session.
Clients bind by providing both a means to find their principal's entry in the directory and also providing some credentials that the directory server can check against their entry.
In the simplest bind operation, the client provides a zero-length name and a zero-length password. This results in an anonymous bind, meaning the client is authenticated as an anonymous user of the directory. In the simplest examples in Section 6.1, “Searching the Directory”, notice that no authentication information is provided. The examples work because the client commands default to requesting anonymous binds when you provide no credentials, and because access controls for the sample data allow anonymous clients to read, search, and compare some directory data.
In a simple bind operation, the client provides an LDAP name, such as
the DN identifying its entry, and the corresponding password stored on the
userPassword attribute of the entry. In
Section 6.3, “Updating the Directory”, notice that to change directory data the
client provides the bind DN and bind password of a user who has permission
to change directory data. The commands do not work with a bind DN and bind
password because access controls for the sample data only allow authorized
users to change directory data.
Users rarely provide client applications with DNs, however. Instead users might provide a client application with an identity string like a user ID or an email address for example. Depending on how the DNs are constructed, the client application can either build the DN directly from the user's identity string, or use a session where the bind has been done with some other identity to search for the user entry based on the user's identity string. Given the DN constructed or found, the client application can then perform a simple bind.
For example, suppose Babs Jensen enters her email address,
bjensen@example.com, and her password in order to log in.
The client application might search for the entry matching
(mail=bjensen@example.com) under base DN
dc=example,dc=com. Alternatively, the client application
might know to extract the user ID bjensen from the address,
and then build the corresponding DN,
uid=bjensen,ou=people,dc=example,dc=com in order to
bind.
When an identifier string provided by the user can readily be mapped to the user's entry DN, OpenDJ directory server can do the translation between the identifier string and the entry DN. This translation is the job of a component called an identity mapper. Identity mappers are used to perform PLAIN SASL authentication (with a user name and password), SASL GSSAPI authentication (Kerberos V5), SASL CRAM MD5 and DIGEST MD5 authentication. They also handle authorization IDs during password modify extended operations and proxied authorization.
One use of PLAIN SASL is to translate user names from HTTP Basic
authentication to LDAP authentication. The following example shows PLAIN SASL
authentication using the default Exact Match identity mapper. In this
(contrived) example, Babs Jensen reads the hashed value of her password.
(According to the access controls in the example data, Babs must authenticate
to read her password.) Notice the authentication ID is her user ID,
u:bjensen, rather than the DN of her entry.
$ ldapsearch
--port 1389
--useStartTLS
--baseDN dc=example,dc=com
--saslOption mech=PLAIN
--saslOption authid=u:bjensen
--bindPassword hifalutin
"(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==The Exact Match identity mapper searches for a match between the string
provided (here, bjensen) and the value of a specified
attribute (by default the uid attribute). If
you know users are entering their email addresses, you could create an
exact match identity mapper for email addresses, and then use that for PLAIN
SASL authentication as in the following example.
$ dsconfig
create-identity-mapper
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--mapper-name "Email Mapper"
--type exact-match
--set match-attribute:mail
--set enabled:true
--no-prompt
$ dsconfig
set-sasl-mechanism-handler-prop
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--handler-name PLAIN
--set identity-mapper:"Email Mapper"
--no-prompt
$ ldapsearch
--port 1389
--useStartTLS
--baseDN dc=example,dc=com
--saslOption mech=PLAIN
--saslOption authid=u:bjensen@example.com
--bindPassword hifalutin
"(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==The Regular Expression identity mapper uses a regular expression to
extract a substring from the string provided, and then searches for a match
between the substring and the value of a specified attribute. In the case
of example data where an email address is user ID
+ @ + domain, you can use the default Regular
Expression identity mapper in the same way as the email mapper from the
previous example. The default regular expression pattern is
^([^@]+)@.+$, and the part of the identity string matching
([^@]+) is used to find the entry by user ID.
$ dsconfig
set-sasl-mechanism-handler-prop
--hostname opendj.example.com
--port 4444
--bindDN "cn=Directory Manager"
--bindPassword password
--handler-name PLAIN
--set identity-mapper:"Regular Expression"
--no-prompt
$ ldapsearch
--port 1389
--useStartTLS
--baseDN dc=example,dc=com
--saslOption mech=PLAIN
--saslOption authid=u:bjensen@example.com
--bindPassword hifalutin
"(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==Try the dsconfig command interactively to experiment
with match-pattern and replace-pattern
settings for the Regular Expression identity mapper. The
match-pattern can be any regular expression supported by
javax.util.regex.Pattern.
