Arjan, Experts,
As you mentioned earlier, I had a look a the basic LDAP identity store, to
see if it can be improved. The current approach is to use the supplied
username to look that one up in a certain base.
The more general approach is
1. Get a connection to the LDAP server.
2. Bind as the application user.
This user should have enough permissions to search the area of LDAP where
users are located.
3. Search for the DN (distinguished name) of the user to be authenticated.
4. Bind as user to be authenticated using DN from step 3.
To implement this, we need some additional parameters
- The DN for the application user
- The password for this account
- A search expression like *(&(cn=%s)(objectClass=person))*
- A base DN where the search starts.
But we should keep your original way of validating the user, because there
are companies where you can use this more direct approach.
I create something based on the code what I used in my last project.
The fact that we need more parameters leads me to the following questions:
Probably my version can be improved also in one or more ways. And thus I'm
afraid that each Application server will keep his own implementation of the
LDAP store, with all the additional features not possible with the standard
parameters we have defined for the *LdapIdentityStoreDefinition* annotation.
And then again, we have no compatibility between the different servers.
Is my fear justified? Should all the application servers define which
parameters they like to see/need?
best regards
Rudy