Re: Sun Java System Directory Server Authentication

"Jon Skeet [C# MVP]" <skeet@xxxxxxxxx> wrote in message news:1166097244.208497.124390@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Willy Denoyette [MVP] wrote:
> Can you imagine if the web client facilities only allowed you to fetch
> pages from IIS?

This is Ok for simple HTML, all webservers will handle that, but you can't expect a Solaris
"Webserver" to handle asp or asp.net requests.

I'd expect it to handle HTTP requests though - and that's closer to
what's being requested, I believe.

Note that I'm not picking on you, I largely following your reasoning and that I don't agree with Chan's answer at all, I'm only discussing the part I don't follow your reasoning.
A client sending an HTTP request to a Webserver will not get the *expected* answer when the request is meant to be handled by a ASP, ASP.NET ....you name it ... service. At the core, each Webserver is handling the HTTP protocol (say http v1 and/v1.1), but that doesn't mean that each of them can/will handle the services requested. Also, HTTP is a session layer protocol nothing more.
The same goes for LDAP, at the core each LDAP server handles the LDAP protocol, but that doesn't mean each is handling all possible *service* requests, for instance don't expect Solaris LDAP to handle NTLM authentication. But, LDAP is more than a session layer protocol, it's also an application layer protocol, that is, it exposes well defined set of application services (version dependant) and here is where the analogy with HTTP stops, and authentication is not one of them.

The same analogy goes for LDAP, you can't expect it to handle authentication of Windows
accounts, right? LDAP is not an authentication protocol and an LDAP server (just as an AD on
Windows) is not required to "handle" all possible authentication type requests either, nor
should you expect it to implement the AD schema.

LDAP isn't *just* an authentication protocol, but there is the concept
of "authenticate this user by trying to log into an LDAP server with
this username/password".


Which is not the same thing, authentication is meant to "validate user credentials", network "authentication" as used when binding against an LDAP server is meant to 1) validate user's credentials, and 2) check access privileges to the LDAP server. Note also that the LDAP server doesn't handle 1), it relies on another (authentication) system service for this, on Windows it's relying on the LSA (Local Security Authority) service. Therefore it's plain wrong to use LDAP for *authentication*, it's not guaranteed to correctly answer the question *are these credentials correct ?*, simply because it was not designed to answer such question.
It's quite possible that a bind fails specifying correct credentials, just because of a lack of access privileges. For the same reason you won't connect to MSSQL or ORACLE, only to *authenticate* a user do you? When I ask the same question to customers who are using LDAP for authentication, they answer, sure not!! SQL server is a RDBMS and then I answer and LDAP server is a Directory Service....


Willy.


.

Relevant Pages