Re: Sun Java System Directory Server Authentication
- From: Jon Skeet [C# MVP] <skeet@xxxxxxxxx>
- Date: Thu, 14 Dec 2006 19:31:34 -0000
Willy Denoyette [MVP] <willy.denoyette@xxxxxxxxxx> wrote:
I'd expect it to handle HTTP requests though - and that's closer toNote that I'm not picking on you, I largely following your reasoning and that I don't agree
what's being requested, I believe.
with Chan's answer at all, I'm only discussing the part I don't follow your reasoning.
A client sending an HTTP request to a Webserver will not get the *expected* answer when the
request is meant to be handled by a ASP, ASP.NET ....you name it ... service. At the core,
each Webserver is handling the HTTP protocol (say http v1 and/v1.1), but that doesn't mean
that each of them can/will handle the services requested. Also, HTTP is a session layer
protocol nothing more.
The same goes for LDAP, at the core each LDAP server handles the LDAP protocol, but that
doesn't mean each is handling all possible *service* requests, for instance don't expect
Solaris LDAP to handle NTLM authentication.
Certainly - I agree there. I think part of the problem is that "Active
Directory" is more often than not primarily used for things *other*
than what I tend to think of as directory services.
Which is not the same thing, authentication is meant to "validate user credentials",
network "authentication" as used when binding against an LDAP server is meant to 1) validate
user's credentials, and 2) check access privileges to the LDAP server. Note also that the
LDAP server doesn't handle 1), it relies on another (authentication) system service for
this, on Windows it's relying on the LSA (Local Security Authority) service. Therefore it's
plain wrong to use LDAP for *authentication*, it's not guaranteed to correctly answer the
question *are these credentials correct ?*, simply because it was not designed to answer
such question.
It's quite possible that a bind fails specifying correct credentials, just because of a lack
of access privileges. For the same reason you won't connect to MSSQL or ORACLE, only to
*authenticate* a user do you? When I ask the same question to customers who are using LDAP
for authentication, they answer, sure not!! SQL server is a RDBMS and then I answer and LDAP
server is a Directory Service....
That's certainly true - but if you have all your users in the
directory, and they all have access appropriately set up, it seems
reasonable to use that for an authentication check.
It's not entirely uncommon to want to authenticate using an LDAP server
- it's sufficiently common that there's an Apache module for the
purpose, for instance.
--
Jon Skeet - <skeet@xxxxxxxxx>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
.
- Follow-Ups:
- Re: Sun Java System Directory Server Authentication
- From: Willy Denoyette [MVP]
- Re: Sun Java System Directory Server Authentication
- References:
- Sun Java System Directory Server Authentication
- From: troywalker
- Re: Sun Java System Directory Server Authentication
- From: Chan Ming Man
- Re: Sun Java System Directory Server Authentication
- From: Jon Skeet [C# MVP]
- Re: Sun Java System Directory Server Authentication
- From: Willy Denoyette [MVP]
- Re: Sun Java System Directory Server Authentication
- From: Jon Skeet [C# MVP]
- Re: Sun Java System Directory Server Authentication
- From: Willy Denoyette [MVP]
- Sun Java System Directory Server Authentication
- Prev by Date: Re: Thread.Suspend and Thread.Resume in Framework 2.0
- Next by Date: Re: Performance of switch{} block.
- Previous by thread: Re: Sun Java System Directory Server Authentication
- Next by thread: Re: Sun Java System Directory Server Authentication
- Index(es):
Relevant Pages
|
