LDAP Best Practices

Question

Hi, there. I'm interesting in best practices of using LDAP authentication in java-based web application. In my app I don't want to store username\password, only some id. But, I want retrieve addition information (Name, Last name) if any exists on LDAP catalog.

Answer 1

My team uses LDAP as a standard way of authentication. Basically, we treat LDAP as any another database.

To add user to application, you have to pick one from LDAP or create it in LDAP; when user is deleted from application, it stays in LDAP but has no access to application.

You basically need to store only LDAP username locally. You can either read LDAP data (e-mail, department etc) from LDAP each time, or pull it in application in some way, though reading it from LDAP is probably simpler and smarter since LDAP data can change. Of course, if you need reporting or use LDAP data extensively, you might want to pull it from LDAP (manually or with batch task).

The nice thing is that once a user is disabled in LDAP, it's disabled in all applications at once; also, user has same credentials in all applications. In corporate environment, with a bunch of internal applications, this is a major plus. Don't use LDAP for users for only one application; no real benefits in that scenario.

Answer 2

If you have more than one web based application and want to use LDAP authentication then a prepackaged single sign on solution might be better than creating your own LDAP authentication. CAS supports LDAP authentication and can pull back the data you need for your application.

At my college we actually have implemented CAS as a single sign on against our Active Directory server. We also utilize CAS to authenticate our J2EE applications and are working on using CAS to authenticate our PHP applications.

We use AD to hold the users for the domain. There are certain OUs for based on the type of user. The users each have a unique ID which happens to be their student/employee ID, so applications can use that as a primary key in their databases. We have a database driven authorization method for our PHP applications. Authorization for the J2EE application comes from a value in LDAP.

Good luck with your application.

Answer 3

So, you want user to enter ID only, and then grab the rest of their info from LDAP? That's quite easy.

1. Create LdapInitial context and connect to LDAP
2. Do a search for the ID (it should be stored as some attribute value) -- e.g. (&(userid=john)(objectClass=user)) -- which means "userid=john AND objectClass=user"
3. SearchResult object would contain all Attributes (or the ones you asked)

Some LDAP implementations (notable MS ActiveDirectory LDAP) do not let you connect with anonymous user. For those you need to have a technical userid/password to connect.

As said above, LDAP is normally makes sense when you have many applications.

P.S. For feeling what LDAP is try Apache Directory Studio.

Answer 4

I have a doubt. Since you're aiming to retrieve additional user information other than username/id, why don't you store everything in LDAP? If you store another set of user id in local database, would that be a duplication?