The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

User Authentication (and LDAP?)

I'm working on a business web app.  Users need to login, and they'll be communicating with an embedded HTTP server.  What I need now is a user/password database.  I'd rather not create a whole new user/database, but rather use what the company is already using.  Since most of my customers are Windows shops, that means Active Directory/Domains.  But they're not all completely Windows shops, so that pushes me towards LDAP.

My plan is:
1. SSL encrypt web app (OpenSSL)
2. User logs in and gives username/password
3. App receives it and tries to connect to LDAP servers using those credentials.  If it works, they're good.
4. Once connected to LDAP I can look at the groups they're in, attributes, etc to decide on their roll within the app.

What do you think?  It would certainly be easier to roll my own little user database, but I suspect my users would appreciate using the same creds they already have.
Wednesday, May 28, 2008
Well your theory is sound but I would make sure that you write your code such that you can swap in a local user/password store in the future. Define an interface that all "authentication providers" must follow and then implement that interface for your LDAP provider. We went down the road of supporting LDAP a while back and very few of our customers actually ended up wanting it. We implemented a local username/password store as a second option and having a well defined provider interface made it very easy to support multiple options. We also now support a couple of custom web services for authentication for some of our bigger clients and it was very easy to add them as well.
dood mcdoogle
Wednesday, May 28, 2008
The Apache mod_authnz_ldap module plays nicely with Novell eDirectory and with Oracle SSO. An older version did OK for straight authentication but not with groups.
George Jansen Send private email
Thursday, May 29, 2008
If you're using php check out, if you're not, still check it out because it's easy to replicate in other languages.

I agree with the previous poster about building an easily swappable auth system. Many users will not want to bother with the hassle. Let them configure if they want to authenticate against an internal db or against AD/ldap. I authenticate my users against AD for internal apps, it works great.

Sunday, June 01, 2008

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz