LDAP & Security!

[Buu Nguyen]

Hi everyone,

We are developing a RMI application. Security is currently assure by
using custom database authentication and authorization. Nevertheless,
now our clients request us to build a security sub-system which
supports the followings:

-Allow user to be authenticated via LDAP
-Allow LDAP to update username and password in the security sub-system
-Finally, the same applies to the authorization process.

As we have exp on LDAP, we want to know whether all the above stuffs
can be done or just part of them? And if the answer is yes, then it
would be appreciated that any can provide some links or samples that
help us implement this.

Thank you very much!

Nguyen

 

[Drazen Gemic]

-Allow user to be authenticated via LDAP
-Allow LDAP to update username and password in the security sub-system
-Finally, the same applies to the authorization process.

I have implemented such system, but not in Java, if that matters.

LDAP server should be configured properly. If it was, it
should enable all the requirements you have mentioned.

Authentication can be performing by so called "binding" to
LDAP server, using login and password (in contrast to, so called
"anonymous bind").

Most common LDAP server configuration allows users to update some,
or most of LDAP attributes. Changing password is usual, but changing
username, might be a problem, I am not sure.

Authorization can be provided by reserving some attribute or attributes
for authentication. Common attribute scheme is 'inetOrgPerson',
and there are attributes like:'businessCategory', 'employeeType', etc.
that could be used for simple authorization.
For more complex situations one could define custom
attributes that extend the scheme, and even create attributes with
multiple values (like arrays), and use separate instance for each
application.

I have learned the most from OpenLdap documentation.

DG