LDAP Authentication Design

by Dennis Gregorovic

I. Essentials

II. Introduction

The LDAP Authentication package is intended to provide a service such that, after registering once, a user can log on to multiple ACS installations via the same e-mail address and password.

It is very common to have separate, but similar ACS installations, such as www.arsdigita.com and acs.arsdigita.com. As it is now, in order to use these sites you need to create a separate account on each site. Then you must remember the e-mail address and password you used for each site. You may have used the same e-mail address and password for both to make it easier to remember, but then if you ever want to change your password on one site then they'll be out of sync again.

ArsDigita, as the administrator of these two sites can use the LDAP authentication package to create "cannonical accounts" that are shared between the sites. The cannonical accounts are the authoritative source for a user's primary information such as e-mail address, password, first names, and last name. Each ACS installation (www.arsdigita.com and acs.arsdigita.com in this example) still have their own users table, but they use the LDAP authentication to keep their local user information fresh.

With LDAP Authentication enabled, when Joe User registers on www.arsdigita.com, a local entry is created as well as a canonical entry on the LDAP server. Then, when Joe tries to log into acs.arsdigita.com, the LDAP server will be queried and Joe's information will be found. Additionally, a local entry will be created on acs.arsdigita.com with Joe's info. If Joe were to change his password on acs.arsdigita.com, the password on the LDAP server would also be updated, which implicitly propagates the change to www.arsdigita.com. Finally, ArsDigita could at a later point enable LDAP Authentication on wimpy.arsdigita.com, and everyone with an account on acs.arsdigita.com/www.arsdigita.com could then log into wimpy.

III. Historical Considerations

In terms of protocols, the only choices analyzed to solve this problem were LDAP and Oracle Replication. Oracle Replication would have been a more full-featured and easy-to-implement solution, but it was rejected due to its rigid and proprietary nature. LDAP is a much more flexible and open choice.

VII. Data Model Discussion

The LDAP Authentication data model contains only one table - ldap_attributes. This table keeps a list of LDAP attributes for individual ACS objects. Currently there are just two columns - object_id and dn. With these columns, we can map a Distinguished Name (dn) to any ACS object in the database.

The bulk of the functionality of the LDAP data model comes from its PL/SQL functions. These functions are wrappers around Java functions that perform specific operations on the LDAP server. The functions are:

Given a DN and password, determines whether the password is valid for that DN.
Given a DN and password, updates the password on the LDAP server of the entry designated by the DN.
Given a DN and attribute name, query the entry on the LDAP server for its value of the specified attribute. This function only supports entries that return exactly one attribute value.
Given an email address, queries the LDAP server for an entry whose mail attribute matches the email address. If successul, returns the DN of the matched entry.
Takes in a DN and first_names, last_name, email, and password values. It then creates an entry on the LDAP server with the given DN and other attribute values.
In addition, all of these functions take some combination of the following parameters which are necessary to establish the LDAP environment for the Java calls.
This is the url of the ldap server. e.g) ldap://yourldapserver.com:389
This is the DN of a user on the LDAP server that has permissions to query, modify, and add entries on the server.
The password for the user specified by the rootdn
The base object in the LDAP server where queries start. e.g.) o=arsdigita.com
The level of security to use. Valid values include 'none', 'simple', and 'strong'. However, many LDAP servers do not support 'strong' authentication.

XII. Authors

System creators
Lars Pind
Dennis Gregorovic
System owner
Dennis Gregorovic
Documentation author
Dennis Gregorovic

VII. Revision History

Last modified: $Date: 2005/04/20 11:48:56 $
Document Revision # Action Taken, Notes When? By Whom?
0.1 Creation 08/30/2000 Dennis Gregorovic
0.2 Revised 09/18/2000 Dennis Gregorovic