I am making a portal for my organization in which I want the user to login to that portal with their organization acoount's ID and password.

For this purpose I am using LDAP authentication with Java.

After reading through quite a few articles, I found the following steps for authentication:

1. bind to LDAP server using some binding or technical account

2. search for the user details in LDAP server who is trying to log in

3. try to bind to server again with user's Distinguished name and password.

Question 1: Is that all?

Is the above process exactly correct or I am missing some info as I am a novice programmer? And what does binding mean conceptually?

Question 2: Why use a bind account?

I wonder what is the need of binding account? If directly I try to bind the LDAP server with user's credential and if it is successful, then can I give him the access?

I have JXplorer tool in which i am able to connect to LDAP server with my own organization's credential. So I was thinking what is the need of first binding to LDAP server with some other account?

question 1- Is the above process exactly correct

Yes.

question 2- I wonder what is the need of binding account?

Yes. You need to search the directory to find the user DN, and you don't want the general unauthenticated public to be able to search the directory.

if directly I try to bind the ldap server with user's credential and if it is successful, then can I give him the access?

You don't have the user's credentials to start with. You have his login name, or email address, or CN, or something that he uses to identity himself, but which is only an attribute of some entry. You need to find that entry and get its DN for authentication.

I have jexplorer tool in which I am able to connect to LDAP server with my own organization's credentials. So i was thinking what is the need of first binding to LDAP server with some other account?

See above. You don't want the user to have to remember his entire DN the way you do with JXplorer.

Reasons for Question #2: (Why use a bind account, instead of current user credentials)

1. During authorization scenarios e.g. for obtaining list of groups for current user, you might not have current user password. Thus you cannot authenticate.

2. You might have a need to to synchronize users of certain groups from LDAP server to your App database e.g. on hourly basis. Without a bind user, you won't have credentials to do this operations asynchronously.

3. Your LDAP server might have restrictions where current user might not have access to navigate certain paths that you need. Only bind user account might have that access.

4. Similar to paths, current user might not have read/write access to certain attributes which bind user might have.

5. Your LDAP server requires current user full dn in order to authenticate. If the path is not predictable by your app, finding this dn requires a search operations which LDAP server might not allow anonymously. Thus you need a bind user.

Apart of scenarios like above, I do not think bind user is needed if one simply can use current user for bind and run authorization checks in one step.