dcsimg
ActiveDirectory & JNDI...design considerations
0 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Anonymous
Posted On:   Wednesday, July 21, 2004 12:57 PM

Hi I just spent most of my day (like many of you probably) searching and reading forums regarding JNDI and MS ActiveDirectory. I have to integrate single sign on web app with my company's AD and my questions are regardinging which approach I should take. Here they are: 1. I wish to use the separate, application login as security credentials when binding to MS AD. Then, I want to search for a particular user and validate him against passed in arguments (username, password). Reason for using separate application login during AD bind are: - it will eventually be used to add/delete new users and change passwords which I couldn't do if I used "ordinary" user accaunts (account used in bind has &quo   More>>

Hi


I just spent most of my day (like many of you probably) searching and reading forums regarding JNDI and MS ActiveDirectory. I have to integrate single sign on web app with my company's AD and my questions are regardinging which approach I should take.


Here they are:


1. I wish to use the separate, application login as security credentials when binding to MS AD. Then, I want to search for a particular user and validate him against passed in arguments (username, password). Reason for using separate application login during AD bind are:
- it will eventually be used to add/delete new users and change passwords which I couldn't do if I used "ordinary" user accaunts (account used in bind has "more" permissions than ordinary user)
- it will allow me to search the AD for a user before authenticating him with his password




If my logic above makes sence (please fell free to comment), how do I solve the problem of "matching" the user password granted that user search found username? ...As from what I could gather, MS AD does NOT store user passwords and you cannot get the password using attribute lookup. If this is correct (which I think it is) how do I go about authenticating this user , granting that he is found in AD after a search? If this is not possible, can someone suggest other soulutions?


2. I saw a lot of people having problems using GSSAPI (Kerberos 5) authentication and it is my intention to stay with "simple" authentication rather than using SASL modules like Kerberos 5. What does GSSAPI actually "buys me" in terms of functionality if I implement it rather than "simple" auth method.



3. I am also aware that in order to update user password I have to either bind to AD as that user or as Admin user. I am also aware that I must use SSL connection with certificates (keystore and so on..) I have found numerous reference to "unicodePwd" attribute that needs to be modified for a subcontext. Weird thing is that, after I do a search for a user and print ALL his attributes I cannot see attribute "unicodePwd". Is this "write only/no read" attribute that will not print?






If someone could give me his/her opinions on these I would much appreciate it...




Amir    <<Less
About | Sitemap | Contact