LDAP integration

[brownk13]

We are looking to rework our application to use LDAP. I am looking
for design ideas, and tutorials, websites to reference. Some of the
issues that we would be dealing with are:

1) Our integration would have to be written independent of a specific
directory. How different are the most common directories, and could
there be 1 solution written that can be configured to work with any
directory? Or would we have to have a handler for each directory?

2) What are the most common directories that we should handle?

3) Password considerations. How do you typically send password
information. We currently store an One-way hash of the password in
the database (MD5). I am guessing that each directory would have the
possibility of storing the passwords in a different format. How are
these passed to the directory server? Do you need to encrypt and then
send, or what is the most common practice?

And where would the best places be to research this for design. (I am
already looking at Sun's JNDI tutorials)

Thank You all.

 

[Manish Pandit]

We are looking to rework our application to use LDAP. I am looking
for design ideas, and tutorials, websites to reference. Some of the
issues that we would be dealing with are:

1) Our integration would have to be written independent of a specific
directory. How different are the most common directories, and could
there be 1 solution written that can be configured to work with any
directory? Or would we have to have a handler for each directory?

2) What are the most common directories that we should handle?

3) Password considerations. How do you typically send password
information. We currently store an One-way hash of the password in
the database (MD5). I am guessing that each directory would have the
possibility of storing the passwords in a different format. How are
these passed to the directory server? Do you need to encrypt and then
send, or what is the most common practice?

And where would the best places be to research this for design. (I am
already looking at Sun's JNDI tutorials)

Thank You all.

I have used Active Directory as a provider and wrote an auth layer
using Netscape LDAP library - it was straight forward and I did not
run into any issues. However, I did not touch the password side of
things - this was to synchronize a table in a db with a particular
group's users in AD.

If you plan to use JAAS, there are out of the box security modules
(LDAP Realm) that can be hooked into tomcat/weblogic/jboss and others,
which can handle the authentication via any LDAP server. You do not
need to store passwords in your application store. IMO, if you use
LDAP as a standard, then you can use any provider with the same API.
In Java Apps, you can consider using form based auth over SSL and that
should be secure enough IMO to submit userId+password.

Do read up on JAAS and LDAP API to begin with your design.

-cheers,
Manish

 

[brownk13]

I have used Active Directory as a provider and wrote an auth layer
using Netscape LDAP library - it was straight forward and I did not
run into any issues. However, I did not touch the password side of
things - this was to synchronize a table in a db with a particular
group's users in AD.

If you plan to use JAAS, there are out of the box security modules
(LDAP Realm) that can be hooked into tomcat/weblogic/jboss and others,
which can handle the authentication via any LDAP server. You do not
need to store passwords in your application store. IMO, if you use
LDAP as a standard, then you can use any provider with the same API.
In Java Apps, you can consider using form based auth over SSL and that
should be secure enough IMO to submit userId+password.

Do read up on JAAS and LDAP API to begin with your design.

-cheers,
Manish

I have been. Our existing product stores users and passwords in our
database already. We will have to handle both of the scenarios. LDAP
is just a new piece that we are putting in and a new way. We also do
not run with any application server. But as we are currently
reworking our security model for the next revision I have been looking
into JAAS.

Thanks for the response.

Keith