NERD TOPIC: Directory Services Help
Posted: February 1st, 2010, 12:13 pm
Anybody familiar with directory services like LDAP or Active Directory? I need to pick someone's brain on this topic.
-=OUR HOUSE=- A Forum for Fans of Duke Sports
https://crazietalk.net/ourhouse/
yes. AD anyways.Miles wrote:Anybody familiar with directory services like LDAP or Active Directory?
I've done some development building interfaces to directories using LDAP. Particularly, I've built some Java classes that we used to pull information from Oracle Internet Directory using standard LDAP calls. I've also written a tiny bit of PL/SQL to pull LDAP data into a procedure in an Oracle DB.CameronBornAndBred wrote:yes. AD anyways.Miles wrote:Anybody familiar with directory services like LDAP or Active Directory?
Welll...then we don't either.Miles wrote:Ugh, I don't even know where to start.
If it's going to be used in any self-respecting enterprise environment it's a must.Miles wrote:For starters: when should my product support LDAP? I'll think of more later and try to come back with well-formed questions.
As far as I can tell, the only applied use we'd get out of supporting LDAP is user authentication, which I recognize is huge. But how would a customer go about integrating our product, assuming it supported LDAP? Here's some background.DukeUsul wrote:If it's going to be used in any self-respecting enterprise environment it's a must.Miles wrote:For starters: when should my product support LDAP? I'll think of more later and try to come back with well-formed questions.
I wouldn't slurp all the user info in. I would turn the authentication routine into a hook into the LDAP system. Pass off the actual authentication to the directory. All good directories only store a hashed/encrypted password, so if you sucked the password in, you'd not have the key to actually verify the password against it. Just pass the authentication request off to the directory, get a success/fail message back and go from there.Miles wrote:As far as I can tell, the only applied use we'd get out of supporting LDAP is user authentication, which I recognize is huge. But how would a customer go about integrating our product, assuming it supported LDAP? Here's some background.DukeUsul wrote:If it's going to be used in any self-respecting enterprise environment it's a must.Miles wrote:For starters: when should my product support LDAP? I'll think of more later and try to come back with well-formed questions.
Our product guides users through a digital workflow associated with color proofing. Customers can design an automated workflow that assigns tasks to other users based upon the file status, and a few other key metadata fields. In a non-LDAP integrated installation, customers create User Accounts and then assign them roles and responsibilities.
Now here's my question. So I "point" my user database at the LDAP server and suck in a bunch of user accounts? This gets me usernames, passwords, and their metadata (address, phone number, email, etc.) right? What about assigning roles to those users? Are they now slurped into my database (MySQL) where they have unique ids? What does it look like on our side?
Is that open-ended enough? Thanks for taking your time to answer and feel free to school me or point me in a direction where I can learn some stuffs.
Great explanation. I think I can see how this works now. We'll definitely need to extract metadata like usernames, address, phone numbers, emails etc from the directory because our product processes reports that use this metadata. The info is displayed in reports and is used to build filters to sort data.DukeUsul wrote:I wouldn't slurp all the user info in. I would turn the authentication routine into a hook into the LDAP system. Pass off the actual authentication to the directory. All good directories only store a hashed/encrypted password, so if you sucked the password in, you'd not have the key to actually verify the password against it. Just pass the authentication request off to the directory, get a success/fail message back and go from there.
I can pass you more info on how to do that if needed.
This is the #1 benefit of leveraging the LDAP - your users passwords will be synchronized with what's in the directory, and your normal password reset/help desk process can handle users who get locked out. You can also use whatever existing process exists to create those user accounts in the first place.
I think the question of whether to store user roles in your app database or in the directory is a more fine-grained question. It's possible to create groups in the LDAP directory and put users in them using your directory tools. Then when you authenticate them, at the same time ask the LDAP to return the list of groups the user is a member of. All you need to store in the DB is the mapping of group to privilege. We do this quite a bit, since we have custom applications and COTS products that all rely on the same group membership in the LDAP to assign privileges. It's easier to just do it in the directory than to have to incorporate it into multiple systems.
You could go even further and store NO user information in your tables ... you could just use LDAP calls to get user names, phone numbers, emails, etc.