Table of Contents
Advertisement
Using an LDAP Directory for security information
LDAP directories are often used to store security information. The following example of an
Application.cfm page with a
retrieve the user's roles.
This example queries the LDAP directory twice, first as the directory manager, then with the
user's identity:
•
The first query uses the identity of the directory manager as the
query gets the distinguished name that corresponds to the user-supplied user ID. Using the
directory manager's identity ensures that there will be a valid response for any user ID in the
directory.
•
The second query accesses the directory with the distinguished name from the first query as
the
username
succeeds, and thereby authenticates the user, only if the user's password allows that user to
access the directory. In other words, the application uses the user's LDAP directory password as
its own password.
For more information on using LDAP directories with ColdFusion, see
LDAP Directories," on page
<cfapplication name="Orders" sessionmanagement="Yes" loginStorage="Session">
<cflogin>
<cfif isDefined("cflogin")>
<!--- setting basic attributes --->
<cfset LDAP_root = "o=mycompany.com">
<cfset LDAP_server ="ldap.mycompany.com">
<cfset LDAP_port="389">
<!--- These attributes are used in the first search. --->
<!--- This filter will look in the objectclass for the user's ID. --->
<cfset userfilter = "(&(objectclass=*)(uid=#cflogin.name#))">
<!--- Need directory manager's cn and password to get the user's
password from the directory --->
<cfset LDAP_username = "cn=Directory Manager">
<cfset LDAP_password = "password">
<!--- Search for the user's dn information. This is used later to
authenticate the user.
NOTE: Do this as the Directory Manager to ensure access to the
information --->
<cftry>
<cfldap action="QUERY"
name="userSearch"
attributes="dn"
start="#LDAP_root#"
scope="SUBTREE"
server="#LDAP_server#"
port="#LDAP_port#"
filter="#userfilter#"
username="#LDAP_username#"
password="#LDAP_password#"
>
<cfcatch type="Any">
<cfset UserSearchFailed = true>
</cfcatch>
</cftry>
<!--- If user search failed or returns 0 rows, abort --->
<cfif NOT userSearch.recordcount OR isDefined("UserSearchFailed")>
366
Chapter 16: Securing Applications
tag checks an LDAP directory to authenticate the user and
cflogin
attribute, and the user-supplied password as the
477.
attribute. This
username
attribute. This query
password
Chapter 23, "Managing
Advertisement
Table of Contents
Troubleshooting
