Doubt about the LDAP + php connection

Asked

Viewed 563 times

0

I am creating a class for LDAP authentication to integrate with intranet apps, as protocol generator, etc.

1- After effecting the ldap_bind() and connect the user, is there any persistence of this authentication? There is a need to close it with ldap_close() when the user leaves or deploys?

Bonus: Sometimes more than one user uses the same computer, but in different logins, how could I manage these authentications to be stored during a certain period?

1 answer

1


It all depends. I say this because I don’t know how your company uses LDAP. Some companies use LDAP only as a directory tree where they maintain their structure, collaborators and some attributes such as name, some groups, etc... Preferably used for workstation logins.

Other companies however use LDAP more deeply managing a lot of employee information, complex hierarchical structures of the company itself, tree permissions for access to systems and restricted areas of the company, access control in turnstiles and so on. That is, in the market there are uses and more uses of LDAP.

That said, I think I can proceed with the answer to your question.

If you’re just authenticating the user...

If your company only authenticates users, then you will just try to do the bind on the server using the user and password of those who want to access the application. If the LDAP server refuses the bind, the user and password are wrong and you inform the user about the authentication failure, close the connection and a hug.

If you are going to authenticate and recover some user properties...

Well, if your company stores some user information in LDAP, such as enrollment, leader (or manager), phone... You can retrieve this information from LDAP and show it on your system. Then you’ll need to know a little bit about LDAP search syntax.

With information retrieved from LDAP, you can also integrate your application with other systems (if possible) such as RH, ERP and so on.

In this case, you bind, retrieve the information, save this information in session (or persist) and then you can close the connection with ldap.

If you need to recover access permissions...

In that case, it depends on your system. If you need to retrieve paper and LDAP permission for every user who accesses your application and checks whether or not that user can access certain functionality of your system, you here could even keep the connection open with LDAP and close it after the user logs out.

Here, your ap LDAP queries may be more frequent, so Voce could keep the connection open if you don’t want to save the user permissions in the session.

Directly answering your questions

After making ldap_bind() and connecting the user, there is some persistence of this authentication? There is a need to close it ldap_close() when the user leaves or moves?

I only worked with Microsoft AD (active Directory). And in this case I didn’t see it persisting anything there when we bind it in our applications. All this control is done internally in my application. For us, LDAP is just a login flag with true or false success. And I also recover some things, nothing more.

But I believe it is a good practice to terminate the connection, just as there is the closure of database connection, such as streamings...

Sometimes, more than one user uses the same computer, but in different logins, how could manage these authentications so that they were stored for a certain period?

This control is your application that does, not LDAP. Both users will need to enter user and password in your application and your application manages the rest. As stated in the above answer, LDAP will only respond true or false to you in a login and password combination. The rest is on your own.

  • Ricardo, completely cleared my doubts, I will recover some information yes, as email, I will apply ldap_read() with filter, thank you very much!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.