Re: [Bodington-developers] LDAP Authentication - OpenLDAP versus JNDI

[Jon M. <jo...@te...>]

Alistair Young wrote:
> Hi Jon, hopefully I can answer your questions:
>   
Thanks. I had found the API docs but somehow overlooked that alternate 
constructor - I was looking in the LDAPConstraints class.  Looks like I 
can do what I want with the OpenLDAP API so there's no real argument 
left for switching.
> There are a few things to consider when doing LDAP "authentication".  
> Bod always calls the LDAPAuthenticator no matter what page you're  
> viewing. This has led to problems here and at Leeds I beilieve. 
>   
> I also haven't ruled out something wrong in the ldap code! haven't  
> had time to look at it.
>   
Actually it is a problem in the Authenticator.  Bodington repeatedly 
calls the isAuthenticated() method to allow an authenticator to time out 
an authentication session if it wants.  However, there is absolutely no 
need to repeatedly bind to the LDAP server every time that 
isAuthenticated is called.  You can see the basic pattern in the plain 
password authenticator - the 'valid' variable is used to prevent 
repeated authentication. If credentials are set then valid is set false 
to indicate that the class doesn't know if the user is authenticated or 
not. If the authenticator is asked if the user is authenticated and 
valid is false then it calls the private authenticate method, otherwise 
if valid is true it just gives the stored result.

Your code was failing to set valid=true when the authentication failed 
which was forcing the LDAP connection to be repeated over and over.  
I've fixed it (and a number of other potential bugs) in the custom 
authenticator I'm creating and eventually I'll generalise it and commit 
back to the release version (2.10?).

Thanks Alistair.