Doubt about the LDAP connection + php

0

I'm creating a class for LDAP authentication to integrate with intranet apps, such as protocol generator, etc.

1 - After you have done ldap_bind() and connect the user, is there any persistence of this authentication? Is there a need to close it with ldap_close() when the user leaves or moves?

Bonus: Sometimes more than one user uses the same computer, but in different logins, how could you manage these endorsements to be stored for a certain period?     

asked by anonymous 16.07.2014 / 17:43

1 answer

1

It all depends. I say this because I do not know how your company uses LDAP. Some companies use LDAP only as a directory tree where it maintains its structure, employees and some attributes such as name, some groups, etc ... Used preferably for logins on the workstations.

Other companies, however, use LDAP more deeply by managing a lot of employee information, complex enterprise hierarchical structures, tree permissions for access to systems and restricted areas of the enterprise, access control in turnstiles and so on. That is, in the market there are uses and more uses of LDAP.

That said, I think I can go on with the answer to your question.

If you just authenticate the user ...

If your company only authenticates users, then you will only try to bind to the server using the username and password of whoever wants to access the application. If the LDAP server declines bind , the user and password are wrong and you inform the user about the authentication failure, close the connection and a hug.

If you are going to authenticate and recover some user properties ...

Well, if your company saves some user information in LDAP, such as enrollment, leader (or manager), phone ... You can retrieve this LDAP information and show it on your system. So there you will need to know a bit about the LDAP search syntax.

With information retrieved from LDAP, you can also integrate your application with other systems (if possible) like RH, ERP and so on.

In this case, you bind, retrieve information, save that information in session (or persist), and then you can close the connection with ldap.

If you need to retrieve access permissions ...

In this case, it depends on your system. If you need to retrieve LDAP role and permission for each user who accesses your application and verifies whether that user can access certain functionality of your system, you could even keep the connection open with LDAP and close it after the user log out.

Here, your LDAP queries may be more frequent, so you could keep the connection open if you do not want to save user permissions to the session.

Responding directly to your questions

  

After logging in to ldap_bind () and connecting the user, there is some   persistence of this authentication? There is a need to close it   with ldap_close () when the user exits or moves?

I've only worked with Microsoft's Active Directory (AD). And in that case I have not seen it persisting anything there when we bind it in our applications. All this control is done internally in my application. For us, LDAP is just a successful or false login flag. And I also get some things back, nothing more.

But I believe it's a good practice to terminate the connection, just as there is a connection to a database such as streaming ...

  

Sometimes more than one user uses the same computer, but   different logins, how could you manage these endorsements so that   they were stored for a certain period?

This control is your application, not LDAP. Both users will need to enter user name and password in their application and their application manages the rest. As I said in the answer above, LDAP will only respond true or false to you in a login and password combination. The rest is up to you.

    
17.07.2014 / 01:26