There are three types of binds that a LDAP server can be configured for: 1. anonymous - the tree is world readable, so no credentials are checked, and your search has all of the rights granted to "anonymous" 2. user bind - the user authenticates against the tree, and has rights granted based upon the users rights. (no anonymous reads usually). 3. unauthenticated - anonymous binding with user dn, but no password.
1 and 2 are the most prevalent. I don't have as much experience with Active Directory, so they may have extended these possibilities. speeves On Fri, Oct 24, 2008 at 8:38 AM, Dawson, Michael <[EMAIL PROTECTED]>wrote: > It depends on your LDAP server. It appears that you are not using > Active Directory due to the way you have handled your start and username > attributes. AD allows any domain user to query the directory. > > Other servers, such as Novell DS, may require you to first query the > directory for the DN of the user who is trying to authenticate. This > first query will require a known username and password. > > Then, the second query will take the first query's DN and use it as the > username. If all works, then, the user is authenticated. > > However, I have worked with a Novell server that doesn't require a > username/password at all. From what I am told, this is common for > Novell servers. > > There are a couple of improvements I would suggest. > > 1. As Shannon said, for the START, you can specify the root of the users > container, rather than the DN of the user object. If you are told to > specify the DN in the START, then change your SCOPE to BASE. There is > no SUBTREE for a single object. Therefore, there is no need to ask the > LDAP server to search through sub-OUs when you just told it the exact > destination. It doesn't hurt, but it's confusing when reading the code. > > 2. While authenticating, you can also bring out other attributes such as > givenName, sn, mail, etc. Currently, you are returning only cn. You > may need other attributes within your application, so why not > authenticate, and get their values, in a single request? > > 3. You don't need the <cfelse> part of your condition. You already know > the UserIsValid variable is 0. > > Mike > > -----Original Message----- > From: Marie Taylore [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2008 4:01 PM > To: cf-talk > Subject: Proper Authentication with CFLDAP? > > I just received this code as the "proper" way to "bind" someone during > an LDAP login to a ColdFusion App. Is this really the right way? > > <cfset UserIsValid = 0> > <CFTRY> > <cfldap action="QUERY" > name="Authenticate" > start="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" > attributes="cn" > scope="SUBTREE" > server="#OurServer#" > username="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" > password="#password#"> > <cfif Authenticate.RecordCount GT 0> > <cfset UserIsValid = 1> > <cfelse> > <cfset UserIsValid = 0> > </cfif> > <cfcatch type="Any"> > <cfset UserIsValid = 0> > <!--- DEBUG CODE HERE ---> > </cfcatch> > </CFTRY> > > <cfif UserIsValid EQ 0> > Sorry, login failed. > <cfabort> > </cfif> > > If they pass the CFABORT above, they're "authenticated" to your app. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314341 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4