Hi - is anyone maintaining any of these ldap libraries? I ask because: - neither has updates in 2 years - the underlying umboundid library now supplies a "bindAndRevertAuthentication" function that implements what was discussed previously in this thread - you can bind without mutating the existing connections (who'd have thought you'd need that? :) - Paul's fork doesn't let you raise issues, and there are two unapplied pull requests, which makes me hesitant to do a patch myself.
There's also https://github.com/realestate-com-au/clj-ldap-auth by Mike Rowe, which seems a bit beta for our needs, but if the others are abandoned we might start working with that one. Or is there another library out there I missed? Surely there are lots of clojure folk doing ldap authentication! - Korny On 20 March 2011 23:55, Paul Dorman <paul.dor...@gmail.com> wrote: > Thanks for the latest changes, Saul. Your implementation is a little > different from mine: > > (defn bind-connection > "Change the identity of an existing connection." > [connection bind-dn password] > (let [bind-result (.bind connection (bind-request {:bind-dn bind- > dn :password password}))] > (if (= ResultCode/SUCCESS (.getResultCode bind-result)) > connection > (throw (LDAPException. bind-result))))) > > This enables the application code to handle the exception > appropriately (was the return value false because of invalid > credentials, or because of some other reason?). It also (I hope) > provides the capability to take a connection from the pool, change its > identity and perform some subsequent action(s) such as changing > attribute values. > > I haven't yet confirmed if what I have above will work in the way I > describe, but I'm pretty confident that you'll want a connection > returned by bind/bind-connection function. A naive authentication > scheme could be implemented by the application like so: > > (defn can-bind? > [attribute value password] > (def search-result (ldap/search conn base-dn {:filter (<< > "(~{attribute}=~{value})") :attributes [:dn]})) > (try > (ldap/bind-connection conn (:dn (first search-result)) password) > true > (catch Exception _ false))) > > i.e. (can-bind? "uid" "joe" "supersecretpassword") > > I'm a complete beginner at Clojure (and LDAP for that matter), and > there's a number of things that I'm wondering about, such as binding > to a server-set, where failure to bind due to the unavailability of > one or more members causes a bind request to be sent to the next. The > thing I'm struggling with at the moment is how to manage connection > state as its identity is changed for each new bind. In particular, I > want to use getConnection() to retrieve the bind connection from the > pool so it can be reused (which isn't currently happening), before > calling the releaseConnection() method. > > Sorry for not getting the above to you earlier - I've been spending a > lot of time in the REPL trying to get this right. 1:50 on Monday > morning now though, so I think I'll have to reluctantly step away from > the computer. > > Regards, > Paul > > On Mar 20, 11:34 pm, Saul Hazledine <shaz...@gmail.com> wrote: > > On Mar 16, 9:30 am, Ray Miller <r...@1729.org.uk> wrote: > > > > > On 15 March 2011 08:46, Saul Hazledine <shaz...@gmail.com> wrote: > > > > > > On Mar 15, 1:30 am, Paul Dorman <paul.dor...@gmail.com> wrote: > > > > One thought though is that it may be quicker simply do a lookup on > the > > > > directory server, obtain the password and then do a compare. In > > > > OpenLDAP, posixUser uids are indexed by default. Java libraries are > > > > available for most password encryption algorithms. This is the > > > > approach I use - do you know of any problems with my method? > > > > > Certainly when I was running LDAP servers we did not allow passwords > > > to be retrieved from the server, as they are then susceptible to an > > > offline dictionary attack. To authenticate users, you had to send a > > > bind request to the server. > > > > This is a very good point which I have added to the documentation. > > > > I have made the bind functionality public and released version 0.0.4 > > of clj-ldap. > > > > Saul > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > -- Kornelis Sietsma korny at my surname dot com http://korny.info .fnord { display: none !important; } -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.