Are you maybe overthinking this? Shouldn't you just be passing the
submitted credentials along to the LDAP connection bind, and if it
works, you say "Hooray, you're logged in" and if it doesn't, you say
"Sorry, bad user/password combination"? That is, you don't do any hash
comparisons on your own, the LDAP service does it for you. Your only
responsibility is to pass off the submitted password as rapidly as
possible and forget about it.
--
46. If an advisor says to me "My liege, he is but one man. What can one
man possibly do?", I will reply "This." and kill the advisor.
--Peter Anspach's list of things to do as an Evil Overlord