I have a tomcat server that uses the JNDI Directory Realm to bind to an LDAP server to do authentication and this works fine.
However, I'd like to pull more information from the LDAP server (e.g., name, phone number, email, etc) and wondering what is the best way to do this? So, I see there are two possibilites:
1) Is there a way to piggy-back on this already configured Realm? If so, how?
2) Or do I have to make a separate LDAP connection? If so, can I just the LDAP libraries and routines already in tomcat?
Thanks for the help!
If you need to bind to an LDAP server for retrieving information, go with plain JNDI, it's the standard API for accessing directories and performing CRUD operations over them, it'll just work even outside of Tomcat.
I doubt any container will allow you access to the LDAP connection. There are provisions in some containers to retrieve entries within LDAP itself using LDAP search queries (say to retrieve groups), but containers are usually not designed to share the connection with a developer.
You can use JNDI like Oscar suggests or a host of other APIs. Use a connection yourself since the spec says nothing about sharing connections with you.
JNDI should not be used for new code. JNDI has very little to recommend it:
JNDI has quite a number of software defects
JNDI does not support the full range of the LDAP standards (and makes certain standard LDAP features impossible to use)
the available examples are horrible
it uses a disconnected parameter setting mechanism
and it uses a deprecated configuration.
The UnboundID LDAP SDK supports sensible constructs for connection and LDAP operations.
see also
LDAP: programming practices
LDAP: search
Related
I am working on a java application having Database authentication using spring-security.
It is very usual that, this application is used with other applications on similar domain.
Requirement: The need is that all such partner apps should be able to share common authentication with my application.
Also it is required to continue supporting DB authentication as well.
One way I found is to embed LDAP server like ApacheDS in my application so that other partner apps can use it to get authenticated.
In this case, I need to load ApacheDS with related Database records and keep it in sync programmatically.
But disadvantage on this is to have redundant copy of authentication data - one at DB and another at ApacheDS LDAP.
Question: Is there any way to avoid such duplication. By googling, I found option of having virtual directory server Penrose or Oracle Virtual Directory. But unfortunately they cannot be embedded in application. Is there any way to provide embedded LDAP support on top of existing Database authentication?
Disclaimer: I know very little about Spring Framework and even less of Spring Security
Having said that. I did face a similar situation, in my case, it was Apache DS as my app authentication source and client AD as the other.
My deployment environment was Tomcat and I used Tomcat Combined realm, which nests more than one realm for authentication. My app realm was configured to be one and client's AD was configured to be another.
Users could authenticate from any one of the realm, it worked. However, I did have to replicate client's AD users every night (including AD tombstones to mark them inactive), for authentication is one thing but other client information was also required, e.g. email, roles etc. and inclusion of new users.
I am kind of sure that Spring Security will also have the concept of Combined Realm.
I understand that this answer is not really an answer and more of design approach and many years too late at that; however, I wished to share my experience.
I am using Websphere Application Server, that has administrative and application security enabled, which uses LDAP to interface an Active Directory for authentication.
The web application that is deployed to the server is required to be able to retrieve information from this AD, as well as modify information in this AD (such as adding a new user to the AD). I could use JNDI to achieve this, however I need the application to use the settings configured in Websphere to do the connection so that I don't have to maintain multiple sets of LDAP information (one in the application and one in Websphere).
I have searched around but couldn't find anything concrete. The closest I saw was I can configure it as a federated user repository instead of standalone LDAP registry, after which I can retrieve some attribute values, but it does not explain if I am able to modify them.
Any help would be appreciated. Thanks!
If you will use federated repository, then you can use VMM API. It is quite complex comparing to JNDI or ldap related libraries, but should provide you with features you need.
Start by looking at this page - Developing with virtual member manager - and subpages, you will find some code examples there also.
a fella recommended me to use ApacheDS as a replacement for my database (MySQL) you can find the discussion here
i am completely new to LDAP and ApacheDS (actually i had no idea about it yesterday), i searched about it and read some articles , finally i got this page.
considering LDAP a network protocol (if it is) is it possible or is it a wise choice to use LDAP Servers like ApacheDS as a persistence solution for desktop applications ?
doesn't LDAP need an application server (like tomcat) to run?
can you please light me up :)
thnx
LDAP needs an LDAP service to run, like ApacheDS, OpenLDAP or the like. It doesn't need anything else.
There are two advantages of LDAP has over an SQL database.
One is much finer access controls e.g. you can have a "column" which can be updated by anyone in the "adminstrator" group and readable by the user and his/her manager only. The LDAP database can implement your security policy which ensures it is centrally auditable.
LDAP databases tend to have better query and read performance (sometimes by an order magnitude), but much lower write performance (also sometimes by an order of magnitude). This is on the assumption that you use it to look up details e.g. username/password far more often than you change them.
I wouldn't use an LDAP database for logging for this reason.
There are many uses of LDAP as a data store for other things than users. As matter of fact, LDAP is often considered as one of the first NoSQL servers.
I know of a teleconference software vendor who used an LDAP directory server to replace a SQL database to gain High Availability and distribution. With their software deployed in several locations worldwide, having a single database wouldn't scale, and created issue at the network level. With LDAP and the multi-master replication capabilities of the server, they were able to have a server in each location, to control the replication flows and even leveraged the distributed nature of data to increase their services.
Java based LDAP directory servers like Apache DS or OpenDJ (opendj.org) give you flexibility in the deployment and can even be embedded in Java applications such as Web applications.
Finally while LDAP servers were designed for many reads and few writes, servers now are capable of heavy writes (although I would not use them for write only activities such as logging). OpenDJ for example has been tested with up to 15000 modifications / second on a 10 millions users database. The same configuration was able to handle over 60000 searches per second. To be fair, the JVM heap size was 32GB.
Regards,
Ludovic.
For deploy LDAP you must ldap server only. For example openldap or ApacheDS.
I used openldap as a persistence solution for web application and it worked.
There is an important difference: sql is relation but ldap is the tree!
We are looking at building an application that either proxies a standalone LDAP server or delegates to an embedded Java LDAP instance (ie: ApacheDS, OpenDS) in order to log requests and determine who is accessing which applications on our very large corporate network.
My question is is there a good way to intercept an LDAP request and "pull it apart" or have either OpenDS/ApacheDS push notifications of requests coming into LDAP.
You don't need to do any of that. You can configure LDAP servers to log accesses, either in the LDAP directory itself or elsewhere.
OpenDJ (the actively developed fork of OpenDS, http://opendj.forgerock.org) has support for multiple and customized access logs, so you can even configure some filters for the specific requests you're interested in.
We are currently implementing a portal to our web based services. The portal and services are written with Seam and we are using OpenLDAP to store the security data such as users, groups and permissions. So far we have looked at writing our own code to access LDAP but are there any existing APIs that we could use?
If you're a Spring user, I'd look into the Spring LDAP modules. They're beautifully done; they follow the idiom laid down by their JDBC implementation. Very clean, very nice.
We did this for our web application a while ago and investigated the following:
http://developers.sun.com/sw/docs/examples/appserver/ldap.html
However, we ended up just using the LDAP support built in to Tomcat, since basic authentication was enough for us.
Here is an example on how we set up out authentication in tomcat:
http://blog.mc-thias.org/?c=1&more=1&pb=1&tb=1&title=tomcat_ldap_authentication
JLDAP
The LDAP Class Libraries for Java (JLDAP) allow you to write applications to access, manage, update, and search for information stored in directories accessible using LDAPv3.