[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OT: Confused about LDAP in general




although there a differences beteween APIs, most of them probably support to a large extent ftp://ftp.isi.edu/in-notes/rfc1823.txt RFC1823 v2's API, ie. basic ldap bind, search, etc. should work. There was a push for an updated API for v3 but unfortunately it died in committee, last draft at http://www.watersprings.org/pub/id/draft-ietf-ldapext-ldap-c-api-05.txt Many v3 api's support much of this draft.


If your app just does a simple authentication then the most popular ways I've seen is to (a) try a simple ldap bind to the server using the username and password the user provided in a preset base subtree, or (b) have a "proxy-user" with search permissions in the user directory, pull the user and their password hash and compare that the a hash of the password supplied.

A nice example of using LDAP as auth is auth_ldap for Apache. http://www.rudedog.org/auth_ldap/ . Checkout the documentation.

IMHO, if you want your app to to source compatible with the most LDAP implementations then try to stick close as you can to the rfc or draft.

for a simple ldap auth, that should be easy.

--Kervin


k15a-list-openldap@mail.theotherbell.com wrote:
Not really confused about LDAP itself but terribly confused about
implementations and how one would deal with the subtle differences
between them.  I understand what LDAP is and I have OpenLDAP up and
running just fine and I've been able to play with the directory and
some basic client applications.

Where I'm confused is this:  there are several well-known LDAP
implementations (OpenLDAP, Netscape, IBM, etc.) and a couple of LDAP
API's (JNDI for one).  I've found lots of documents that discuss
LDAP-based security  and I understand that LDAP is based somewhat on
X.500/X.509 and for the most part, the authentication stuff makes
sense.

Where I get really hung up is on authorization. I understand
groupOfNames and I've actually seen it used in LDAP schemas. But
seems like every LDAP server has done it's own tweaking here and there
so things are slightly different between the various implementations. I'm confused as to how I -- as a developer -- would develop an
application that uses an existing LDAP implementation for
authenticating whether a given user has the right to perform a given
task.


As best as I can tell, there would be some DN that sets the security
context... and some concept of roles (groupOfNames) within that
context where a given user either is or is not a member. Would LDAP
authorization be this simple or have I completely missed the boat? I've searched the web high and low for detailed information on the
authorization subject and haven't really come up with anything I can
sink my teeth into.