Given a Web Application with Form-based login and a central directory: using LDAP (fast) bind in an application with the actual user has a number of advantages. It especially means the directory server will evaluate if the login is actually permitted. It can also audit and count failed attempts. It avoids the need for a manager bind and the application does not need to know how to compare password hashes.
However there is the question, on what to do if a login session (for example powered by an http session cookie) persists for a longer time, and the user was meanwhile deleted or locked out.
The simplest approach would be to bind regularly again. This has however the problem that it either annoys the user (as she has to give the password again) or it means I have to keep the password in the users session, so I can re-authenticate for it. Is there another (widely supported) method?
If not, what would be done? Using a manager user to look up the DN and check if it is modified? Or do I have to actually check custom locked/expired attributes then? Is there (if GSSAPI is not used) a way to have a session representing token which can be validated against the LDAP server (and if yes, can I access it from a LDAP client in Java?)
Aucun commentaire:
Enregistrer un commentaire