You need to
bind to the directory so that you can test the password. The password is not stored. Only the hash is stored. The hash can only be viewed if your user DN has the correct priviledge.
The code example below connects to an LDAP(S) directory using an application DN, looks up the full user DN based on their uid and then binds using the user DN and their password to check if it is OK.
#! /usr/bin/perl
use strict;
#http://search.cpan.org/~gbarr/perl-ldap-0.30/lib/Net/LDAP.pod
use Net::LDAPS;
use Net::LDAP;
my $host = "myhost:389";
my $ldaps = 0;
my $adminDn = "cn=myapp, ou=applications, o=MyOrg";
my $adminPwd = "password";
my $searchBase = "ou=people, o=MyOrg";
my $userdn = testGuid ("myGUID", "password");
if ($userdn)
{
print "$userdn checks out!\n";
}
sub getUserDn
{
my $ldap;
my $guid = shift;
my $dn;
my $entry;
if ($ldaps) {
$ldap = Net::LDAPS->new($host, verify=>'none') or die "$@";
}
else {
$ldap = Net::LDAP->new($host, verify=>'none') or die "$@";
+
}
my $mesg = $ldap->bind ($adminDn, password=>"$adminPwd");
$mesg->code && return undef;
$mesg = $ldap->search(base => $searchBase, filter => "uid=$guid" )
+;
$mesg->code && return undef;
$entry = $mesg->shift_entry;
if ($entry)
{
$dn = $entry->dn;
$entry->dump;
}
$ldap->unbind;
return $dn;
}
sub testGuid
{
my $ldap;
my $guid = shift;
my $userPwd = shift;
my $userDn = getUserDn ($guid);
return undef unless $userDn;
if ($ldaps) {
$ldap = Net::LDAPS->new($host, verify=>'none') or die "$@";
}
else {
$ldap = Net::LDAP->new($host, verify=>'none') or die "$@";
+
}
my $mesg = $ldap->bind ($userDn, password=>"$userPwd");
if ($mesg->code)
{
# Bad Bind
print $mesg->error . "\n";
return undef;
}
$ldap->unbind;
return $userDn;
}