Home > Archive > LDAP > December 2005 > LDAP storing web accounts...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
LDAP storing web accounts...
|
|
| Daniel M. 2005-12-08, 7:26 pm |
| Problem: Given an application that stores users
accounts in a database table as "user" and "password"
(encrypted of course) what would be the best way to
convert this app to use LDAP.
Do I store the login and password in the LDAP
directory as attributes to a DN such as:
cn=john.doe,cn=webUsers,dn=whatever.com
attributes:
login = string
password = string
Any help or articles would be appreciated. I have
been searching and reading on the web for a while but
have not been able to find a good example or article
on the subject yet.
Thank you.
| |
| Marc Chantreux 2005-12-08, 7:26 pm |
| Hi,
I think you're off topic.
I also think you need to look at posix.schema, there is a posixAccount
object with userPassword and uid attributes there.
regards
mc
| |
| Gerry Smyth 2005-12-08, 10:16 pm |
| Hi Daniel,
One thought could be to use Kerberos V for authentication and use LDAP for
authorisation tied in with pam (all on Linux of course).
Your web application say assuming php is used would call the pam_auth
module, which interrogates Kerberos.
In this way, your web app is loosely coupled form the back-end of LDAP /
Kerberos (although you may need to write an interface program to
facilitate). Nevertheless, it would be worth the effort as you would be
using the 'facade' design pattern and other web app could be used
longside.
This is just a high-level thought for you.
Regards
Gerry
"Daniel M." <danny_mk@yahoo.com>
09/12/2005 07:59 AM
To
perl-ldap@perl.org
cc
Subject
LDAP storing web accounts...
Problem: Given an application that stores users
accounts in a database table as "user" and "password"
(encrypted of course) what would be the best way to
convert this app to use LDAP.
Do I store the login and password in the LDAP
directory as attributes to a DN such as:
cn=john.doe,cn=webUsers,dn=whatever.com
attributes:
login = string
password = string
Any help or articles would be appreciated. I have
been searching and reading on the web for a while but
have not been able to find a good example or article
on the subject yet.
Thank you.
| |
| Quanah Gibson-Mount 2005-12-08, 10:16 pm |
|
--On Friday, December 09, 2005 3:28 PM +1300 Gerry Smyth
<gsmyth@nz1.ibm.com> wrote:
> Hi Daniel,
> One thought could be to use Kerberos V for authentication and use LDAP
> for authorisation tied in with pam (all on Linux of course).
>
> Your web application say assuming php is used would call the pam_auth
> module, which interrogates Kerberos.
>
> In this way, your web app is loosely coupled form the back-end of LDAP /
> Kerberos (although you may need to write an interface program to
> facilitate). Nevertheless, it would be worth the effort as you would be
> using the 'facade' design pattern and other web app could be used
> longside.
No need to write an interface program for that, Stanford already wrote an
opensource solution that uses SASL/GSSAPI with apache to access an LDAP V3
server for authorization.
<http://webauth.stanford.edu>
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
| |
| Marc Chantreux 2005-12-09, 4:21 am |
| Daniel M. wrote:
> Lets say you were going to write a web application
> using Perl and wanted to authenticate your users
> agains the LDAP directory. Would you use a
> posixAccount entry to verify their credentials?
I think it's OT 'cause it's an ldap question. Not perl-ldap one.
in fact, your web app. can relies to the ldap authentification.
You need something like this in your slapd.conf :
access to attrs=userPassword
by dn="cn=admin,dc=example,dc=com" write
by anonymous auth
by self write
by * none
"by anonymous auth" is important.
now, you just have to
- bind as anonymous to find your user's dn
- bind again with the dn and his password
if the second bind success, so your auth success.
regards
mc
| |
| Daniel M. 2005-12-09, 7:28 pm |
| Thank you all for your help. I got a solution.
Dan.
--- Gerry Smyth <gsmyth@nz1.ibm.com> wrote:
> Hi Daniel,
> One thought could be to use Kerberos V for
> authentication and use LDAP for
> authorisation tied in with pam (all on Linux of
> course).
>
> Your web application say assuming php is used would
> call the pam_auth
> module, which interrogates Kerberos.
>
> In this way, your web app is loosely coupled form
> the back-end of LDAP /
> Kerberos (although you may need to write an
> interface program to
> facilitate). Nevertheless, it would be worth the
> effort as you would be
> using the 'facade' design pattern and other web app
> could be used
> longside.
>
> This is just a high-level thought for you.
>
> Regards
> Gerry
>
>
>
>
> "Daniel M." <danny_mk@yahoo.com>
> 09/12/2005 07:59 AM
>
> To
> perl-ldap@perl.org
> cc
>
> Subject
> LDAP storing web accounts...
>
>
>
>
>
>
> Problem: Given an application that stores users
> accounts in a database table as "user" and
> "password"
> (encrypted of course) what would be the best way to
> convert this app to use LDAP.
>
> Do I store the login and password in the LDAP
> directory as attributes to a DN such as:
> cn=john.doe,cn=webUsers,dn=whatever.com
> attributes:
> login = string
> password = string
>
> Any help or articles would be appreciated. I have
> been searching and reading on the web for a while
> but
> have not been able to find a good example or article
> on the subject yet.
>
> Thank you.
>
>
|
|
|
|
|