Re: [Bodington-developers] LDAP Authentication - OpenLDAP versus JNDI

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Jon, hopefully I can answer your questions:

> I'm trying to set a custom timeout on the connection
Novell added a new LDAPConnection constructor:
http://developer.novell.com/documentation/jldap/jldapenu/api/index.html

> The Sun LDAP service provider has a connection pooling option.  Is
> there anything equivalent in the Open LDAP API?
http://developer.novell.com/documentation/jldap/jldapenu/api/index.html

> What was the reason for choosing the OpenLDAP API instead of JNDI?
I'd been doing a lot of LDAP work with eDirectory (creating accounts  
etc) and so had a load of experience with it. The openLDAP Java  
classes were originally devleoped by Novell and they donated them to  
openLDAP.org so it seemed logical to keep using them for bod LDAP.  
JNDI is much more abstract. LDAPAuthenticator will only ever  
authenticate against an LDAP server. It doesn't need that  
abstraction. Also, I find Sun stuff ropey or bloated sometimes,  
that's just my opinion. The Novell openLDAP libs were ideal and they  
have a C version too. At the time I was looking at LDAPing RADIUS so  
having the same framework for Java and C made sense.

> Is
> there a strong argument against switching to JNDI?
for me, no. LDAP is LDAP. JNDI is at a higher level of abstraction.  
It's also persona non grata in ActiveDirectory. I had a lot of  
problems creating accounts in ActiveDirectory using JNDI. There was a  
Microsoft report that JNDI had problems connecting/binding to AD  
servers. In this respect, openLDAP was more successful.
Also, the openLDAP code works against slapd/eDirectory/ 
ActiveDirectory (all tested). As we may need to support AD in the  
future, JNDI has already proved itself less than useful.

There are a few things to consider when doing LDAP "authentication".  
Bod always calls the LDAPAuthenticator no matter what page you're  
viewing. This has led to problems here and at Leeds I beilieve. When  
you enter an incorrect password, you get sent to the failure page,  
which causes bod to call the authenticator, which fails again, then  
you go to the login page, another login failure and finally back to  
the page with the login boxes, another auth failure. So that's 3 auth  
failures as bod keeps calling LDAPAuthenticator with bum credentials.  
This eventually locks a user out of their LDAP server.

This only happens as the authentictator is doing a bind to prove the  
credentials. You could do a compare on the password but this might  
not be interoperable and might not be supported by the schema in use.  
Bind will always work though. Also, binding causes a login event on  
the LDAP server and that can keep over zealous admins from deleting  
what they think are expired accounts. e.g. we have people who never  
log in to eDirectory and they login to CLAN all the time. Doing a  
compare on their password instead of a bind would show them as  
*never* logging in to eDir and the admins trawl and delete such  
accounts now and again.

I also haven't ruled out something wrong in the ldap code! haven't  
had time to look at it.

Alistair

On 19 Jul 2006, at 11:04, Jon Maber wrote:

> Probably one for Alistair...
>
> I'm working on a customised LDAP authenticator for Leeds.
>
> The standard authenticator uses the OpenLDAP Java API instead of JNDI
> and the Sun LDAP service provider.  I started off also using the
> OpenLDAP API but I've got stuck on a couple of things.
>
> 1) I'm trying to set a custom timeout on the connection to the LDAP
> socket. (I want it to be much shorter than the default) However, I  
> can't
> see a mechanism for changing the timeout.  I've worked out how to  
> adjust
> the timeout on searches etc. but not the timeout on socket  
> connections.
> Any ideas?
>
> 2) The Sun LDAP service provider has a connection pooling option.  Is
> there anything equivalent in the Open LDAP API?
>
> What was the reason for choosing the OpenLDAP API instead of JNDI?  Is
> there a strong argument against switching to JNDI?
>
> Jon
>
>
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys -- and earn  
> cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Bodington-developers mailing list
> Bod...@li...
> https://lists.sourceforge.net/lists/listinfo/bodington-developers