Good morning,
First thanks a lot for the helps.
I have a problem in my organization because there are legacy applications that to use an LDAP Server to authentication.
The problem is that the model to authenticate the applications this different. For example:
The applications to authenticate with the attribute cn=user (only this) and not cn=user,ou=XXX,dc=YYY,dc=WWW ie using the complete DN and the worst is that we have no codes of these applications.
Could someone help me?
Thanks a lot,
Related
So i'm tasked with implementing SSO for our Windows application. Currently, after a user logs into the machine, he or she has to re-log in to our app when he or she loads the application. The application validates the user by querying a LDAP server.
What we're looking to have is for the user to automatically be logged into the app when they click on it. My understanding is that the LDAP authentication must still happen, but Im not exactly sure what the workflow would be, and how exactly we can validate a user without requiring them to re-enter a username / password. Note that this is not a web application so I can't use tools like SAML or OAuth (unless i'm mistaken about this too..?)
So my specific question is as follows:
Is it possible to use LDAP for SSO, and if so, how? Is it possible for me to authenticate a user with just his or her username, or is a password also required?
Any guidance would be appreciated, and am happy to provide further clarification if needed.
First of all, LDAP is a protocol, which you use to communicate with databases that implement this protocol.
So LDAP databases (commonly called directories) are ... databases and so do not provide SSO functionality.
To deploy a SSO solution, you need a SSO service. All your applications will have to be "compliant" with this service in a way or another.
The only way I can think of to make a "Windows SSO" without adding a third party application is that the applications can retrieve NTLM informations in requests made by the client and uses the user data to identify him. (but in term of security, I let you judge what you think about it ;) ) . See this php example
Some LDAP implementations, including OpenLDAP, provide some level of support the Generic Security Service Application Program Interface (GSSAPI) or SPNEGO (a specific GSSAPI implementation)
Although not trivial, it is possible to perform SSO from a "browser" that supports GSSAPI. AFIK, IE, Firefox, Safari and Chrome all provide some level of support for GSSAPI although each browser requires specific configuration (typically whitelisting of Servers).
There are many SSO Products that implement these features in a "probably" more secure and easier process than doing it yourself.
There are many known vulnerabilities details that have been exploited with GSAPPI/SPNEGO typically due to implementation issues.
Problem Statement:
I am trying to build a custom management system which would require authentication and authorization both.
The system needs to have capabilities to manage/create/update/delete users, roles, permissions and groups.
My Design Solution
I am planing to implement this in-house from scratch and would provide authentication and authorization as follows.
Authentication : user would provide their credentials and the system would authenticate if the user is valid or not.
Authorization: once the user is authenticated, based on the user groups and the permissions they could access the requested pages on the site.
Question:
Now, my question is that suppose I have this application built successfully and in future my application requires LDAP (active directory) authentication would it be possible to plug in LDAP related features keeping my existing application intact or I would have to re-write the entire or most application using LDAP API's.
I have had a look at at apache shiro and spring security which
provides LDAP functionality and they also provide capabilities to manage/create/update/delete users.
As of now I have not yet decided if I would go with either of them or write my own.
Would appreciate if I could get a detailed reponse about how to go about things.
Note:
I am a complete newbie to LDAP so please excuse me if I have used some wrong terminology with regards to LDAP.
I would recommend NOT implementing this your self, just integrate with existing API.
Disclosure: I work for Stormpath (which provides exactly this) and on Apache Shiro.
Also, if your application needs to be backed by LDAP, most LDAP setups I've seen only support read operations when integrating with applications, so you may want to chat with your LDAP admin and see if your 'manage' user use case is viable.
Security is a serious domain, with lots and lots of hidden complications. I would definitely recommend against implementing this yourself. Since you mention Spring LDAP, I'm guessing you're in a Spring-based project. The obvious choice in such a setup would be the excellent Spring Security project.
I would like to centralise user management including authentication, authorisation and auditing as this is currently being performed by each application. I was wondering if there is an open source solution already available? I'm aware I can use LDAP or AD but this still requires development of an application to manage users.
I believe LDAP is not an appropriate solution as we require custom user attributes to be defined at runtime which is something LDAP does not support.
Any advice would be greatly appreciated!
There is Apereo CAS. It handles what you are after.
See www.github.com/apereo/cas
Tell me, can someone faced with such a problem. Tell us briefly; I have two drivers are configured for authentication - Eloquent and LDAP.
Tell me, how can I implement user authentication methods, it said on the form. What is important, without the use of third-party drivers ollieread/multiauth?
Thank you.
Folks,
I just moved to VS 2012 from VS 2010. I am still figuring out the new SimpleMembershipProvider and OAuth provider.
After creating a default "Internet" project, I enabled Google client. It seems now I can login using either local username/password or Google authentication.
I would appreciate it if someone can help me understand the following:
I would like only authorized users to login. It seems any Google user is able to login at the moment. How do I prevent this?
I would like to set it up such that although anyone can request for "registration," only admins will decide who is allowed to access the system. How can I achieve this?
Is there a way to completely get rid of local username/password and just use Google authentication instead?
Thank you in advance for your help.
Regards,
Peter
Did you look at Using OAuth Providers with MVC 4
There is a tutorial witch shows how you authenticate with Facebook account (with Google will be same), but authorization process need some "wizard". And after success registatrion wizard user is allow to access website. Of course you will have to change above wizard to your needs.