LDAP用户和Web应用程序
[英]LDAP users and web application
问题描述
We built a web application (running on our intranet) that relies on our LDAP directory (active directory) for it's users. 
我们构建了一个Web应用程序(在我们的Intranet上运行),它依赖于我们的LDAP目录(活动目录)。 Instead of 'syncing' the directory users with say a 'user' table in our application database (MySQL) we use the LDAP directory just like we use databases. 与我们的应用程序数据库(MySQL)中的“用户”表“同步”目录用户不同,我们使用LDAP目录就像使用数据库一样。
When creating a relation between an entity pulled from MySQL and an LDAP user we use the user GUID (which is a unique string). 在从MySQL提取的实体和LDAP用户之间创建关系时,我们使用用户GUID(这是一个唯一的字符串)。
Our directory will never have more than 300 users (never). 我们的目录永远不会超过300个用户(从不)。 We installed a dedicated DC (Domain Controller) to serve our application request. 我们安装了专用的DC(域控制器)来满足我们的应用程序请求。 Network latency is not an issue. 网络延迟不是问题。
In our code we could replace a few lines of code to switch from using LDAP to using MySQL and a 'user' table (data mappers are awesome) 在我们的代码中,我们可以替换几行代码,从使用LDAP切换到使用MySQL和'用户'表(数据映射器非常棒)
Would you do this (no 'user' table syncing)? 你会这样做(没有'用户'表同步)? What are your arguments against this (way of doing it)? 你反对这个问题的论点是什么(这样做的方式)?
edit 编辑
We do use a 'user' table but it's very simple so sql joins are not really a problem, we know it will have better perfomance with a full user table but are looking for other arguments against using LDAP 我们确实使用'用户'表,但它非常简单,所以sql连接并不是真正的问题,我们知道它将具有更好的性能与完整的用户表,但正在寻找其他参数反对使用LDAP
CREATE TABLE `user` (
`_id` int(4) unsigned NOT NULL AUTO_INCREMENT,
`guid` varchar(255) NOT NULL,
PRIMARY KEY (`_id`)
);
2 个解决方案
解决方案1
2 2015-03-01 06:25:25
I would not do it. 我不会这样做。 I would sync the users data except for the password on every login. 我会在每次登录时同步除密码之外的用户数据。 That way you have the current data of your application in its database and you can use your databases join features to get all the relevant information without going to query different systems. 这样,您可以在其数据库中获得应用程序的当前数据,并且可以使用数据库连接功能获取所有相关信息,而无需查询不同的系统。 I'd only use LDAP for authentication and perhaps a model of LDAP-Group based authorization. 我只使用LDAP进行身份验证,也许只使用基于LDAP组的授权模型。
- That way you do not need to hassle with passwords and any password policies. 这样您就不需要为密码和任何密码策略而烦恼。
- And after login you are completely independent from the LDAP-server. 登录后,您完全独立于LDAP服务器。
- A missing LDAP server won't affect already logged in users only new logins would not work. 丢失的LDAP服务器不会影响已登录的用户,只有新登录不起作用。
And even though the objectGUID is unique it is unique throughout your LDAP and not necessarily your application. 即使objectGUID是唯一的,它在整个LDAP中也是唯一的,而不一定是您的应用程序。
We often have the issue that in LDAP a user us newly created instead of renamed when the users name changes (due to marriage or divorce fi). 我们经常遇到这样的问题:在LDAP中,用户是我们新创建的,而不是在用户名称更改时重命名(由于结婚或离婚fi)。 But you might not want to create a new user in that case in your app. 但您可能不希望在该应用中创建新用户。 With your own users table you can simply change the ObjectGUID for a user and the users app-internal id stays the same but links to a completely new user in LDAP. 使用您自己的用户表,您只需更改用户的ObjectGUID,用户app-internal id保持不变,但链接到LDAP中的全新用户。
解决方案2
1 2015-02-28 22:10:54
I would definitely do that for authentication, the base user profile, and user status. 我肯定会为身份验证,基本用户配置文件和用户状态执行此操作。 The AD entry for the user is highly likely to me more current than the data you have for the user. 用户的AD条目很可能比您为用户提供的数据更新。 It removes the need for you to manage passwords for users. 它使您无需管理用户的密码。 You don't need to store them or provide a facility for changing them. 您无需存储它们或提供更改它们的工具。 When the user status is disabled in Active Directory your user won't be able to use your applications anymore. 在Active Directory中禁用用户状态后,您的用户将无法再使用您的应用程序。 If the user's name, email, phone number changes in AD then you will always have the most up to date data and you don't have to provide a facility to manage it. 如果用户的姓名,电子邮件,电话号码在AD中发生变化,那么您将始终拥有最新的数据,而您无需提供管理它的工具。
The objectGUID is perfect way to link your account as it is unique and immutable. objectGUID是链接您的帐户的完美方式,因为它是唯一且不可变的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.