[
https://issues.apache.org/jira/browse/OFBIZ-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12512970
]
Adrian Crum commented on OFBIZ-811:
-----------------------------------
Torsten,
I'm going to include your comments from the user ml here, because you made some
very good points...
-----------------------------------
I have also removed the need for ldap.user and ldap.password. I just use the
credentials supplied by the user to try and bind to LDAP. There is no need for
the OFBiz app to know the credentials of some overall LDAP tree superuser.
Putting this in the OFBiz config is nothing but a security risk IMO.
Some more words of caution to everyone who might want to use apply this patch:
1. This is an all-or-nothing solution. If you set login.useLDAP=true *all*
user's passwords are checked against LDAP. There is no fallback in either
direction, e.g. if the user is not found in LDAP, use the database or vice
versa. An optimal solution might be to give a user's record an extra field
"external auth" or something like that which would point to an external
authentication object, which might be an LDAP object. (Take a look at Oracle's
"IDENTIFIED BY" for example.) Besides LDAP, we might also be looking at SSO
solutions in the future, for example.
2. With the given implementation, all LDAP user objects need to be in a single
LDAP context, determined by ldap.baseDN. There is no sub-tree searching for
user objects. If in practice you would be looking at keeping admins in a
different part of the tree or even in a different directory as normal users,
that "external auth" field would be a solution for that, again, if it would
contain the full URL of the object in LDAP.
> Authentication using LDAP
> -------------------------
>
> Key: OFBIZ-811
> URL: https://issues.apache.org/jira/browse/OFBIZ-811
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Environment: all
> Reporter: Mohamed Amine AZZI
> Assignee: Si Chen
> Priority: Trivial
> Attachments: ldap_authentication.patch, ldap_properties.patch,
> LoginServices.java, LoginServices.java.diff, security.properties.diff
>
>
> this feature, would enable Ofbiz users to authenticate their users using an
> LDAP. I developed that change in response to a customer request who wanted
> his employees to use the same passwords they use when openning a windows
> session.
> the solution was to recreate the same usernames in the Party manager with an
> unused password. and redirect the authentication to the LDAP when needed. The
> choice is made in the security.properties file. all parameters needed to
> connect to the LDAP are there also.
> After authentication all authorizations are taken out from the Party manager.
> This would give the same feature used by SharePoint, which is called cross
> privileges
> the change is minor as you would see, but very helpfull for people needing
> the same feature.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
