Cox Crow

You don't necessarily need to want data at a specific location to use the authentication service provided for that location.

5:40:00 PM #
categories: Directories, Identity

Using an LDAP directory as an authentication source is convenient for a number of reasons, though the protocol is not specifically designed for authentication.

LDAPv3 has cheap redundancy; a flexible delegation model, if the directory supports ACLs; a range of authentication methods, from simple to GSSAPI; a variety of password storage methods; and most importantly, broad support means it is highly likely that someone else has already done most of the work by providing LDAP client libraries. Use of LDAP to converse with the authentication source should allow substitution of alternate back-ends with substantially reduced deployment costs. Similarly, deployment of new services becomes easier.

Authentication to an LDAP directory generally works like this, in order to avoid the complex usernames. First, the client binds anonymously to the directory to determine the user's distinguishedName attribute. Then an LDAP BIND operation is attempted with the credentials presented by the user agent. Access can be restricted by LDAP search filters on the query that determines the distinguishedName, and by constraints within the directory, such as passwordExpirationTime. Others authenticate against the data in the directory just as they would the data in /etc/passwd, and perform a comparison between the value provided by the user agent and that stored in the directory.

5:16:22 PM #
categories: Directories, Identity