One of my current projects requires authenticating against an LDAP directory. I initially assumed that you would get the password from the directory, then compare it with the user supplied password. That's the wrong way.

The correct way is simpler. Just try to bind the user to the LDAP directory. If it works, you have the correct password, if it doesn't, the password or username is wrong. 

If your directory allows anonymous binds, then you will want to make sure that a password is actually sent with the bind.. Otherwise your user could log in without a password at all... 'Course, I'd reccomend against anonymous binds in the first place.

My project is in PHP, but I would assume the same methodolgy would work for any language.