Thanks for the latest changes, Saul. Your implementation is a little
different from mine:
(defn bind-connection
"Change the identity of an existing connection."
[connection bind-dn password]
(let [bind-result (.bind connection (bind-request {:bind-dn bind-
dn :password password}))]
(if (= ResultCode/SUCCESS (.getResultCode bind-result))
connection
(throw (LDAPException. bind-result)))))
This enables the application code to handle the exception
appropriately (was the return value false because of invalid
credentials, or because of some other reason?). It also (I hope)
provides the capability to take a connection from the pool, change its
identity and perform some subsequent action(s) such as changing
attribute values.
I haven't yet confirmed if what I have above will work in the way I
describe, but I'm pretty confident that you'll want a connection
returned by bind/bind-connection function. A naive authentication
scheme could be implemented by the application like so:
(defn can-bind?
[attribute value password]
(def search-result (ldap/search conn base-dn {:filter (<<
"(~{attribute}=~{value})") :attributes [:dn]}))
(try
(ldap/bind-connection conn (:dn (first search-result)) password)
true
(catch Exception _ false)))
i.e. (can-bind? "uid" "joe" "supersecretpassword")
I'm a complete beginner at Clojure (and LDAP for that matter), and
there's a number of things that I'm wondering about, such as binding
to a server-set, where failure to bind due to the unavailability of
one or more members causes a bind request to be sent to the next. The
thing I'm struggling with at the moment is how to manage connection
state as its identity is changed for each new bind. In particular, I
want to use getConnection() to retrieve the bind connection from the
pool so it can be reused (which isn't currently happening), before
calling the releaseConnection() method.
Sorry for not getting the above to you earlier - I've been spending a
lot of time in the REPL trying to get this right. 1:50 on Monday
morning now though, so I think I'll have to reluctantly step away from
the computer.
Regards,
Paul
On Mar 20, 11:34 pm, Saul Hazledine <shaz...@gmail.com> wrote:
> On Mar 16, 9:30 am, Ray Miller <r...@1729.org.uk> wrote:
>
> > On 15 March 2011 08:46, Saul Hazledine <shaz...@gmail.com> wrote:
>
> > > On Mar 15, 1:30 am, Paul Dorman <paul.dor...@gmail.com> wrote:
> > > One thought though is that it may be quicker simply do a lookup on the
> > > directory server, obtain the password and then do a compare. In
> > > OpenLDAP, posixUser uids are indexed by default. Java libraries are
> > > available for most password encryption algorithms. This is the
> > > approach I use - do you know of any problems with my method?
>
> > Certainly when I was running LDAP servers we did not allow passwords
> > to be retrieved from the server, as they are then susceptible to an
> > offline dictionary attack. To authenticate users, you had to send a
> > bind request to the server.
>
> This is a very good point which I have added to the documentation.
>
> I have made the bind functionality public and released version 0.0.4
> of clj-ldap.
>
> Saul
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
