Table of Contents
Advertisement
DEVELOPING COLDFUSION 9 APPLICATIONS
Accessing and Using Data
About LDAP Server Security
ColdFusion uses Java Native Directory Interface (JNDI), the LDAP provider, and an SSL package to create the client
side of an SSL communication. The LDAP server provides the server side. The LDAP server that the
connects to using SSL holds an SSL server certificate, a certificate that is securely "signed" by a trusted authority and
identifies (authenticates) the sender. During the initial SSL connection, the LDAP server presents its server certificate
to the client. If the client trusts this certificate, the SSL connection is established and secure LDAP communication can
begin.
ColdFusion determines whether to trust the server by comparing the server's certificate with the information in the
jre/lib/security/cacerts keystore of the JRE used by ColdFusion. The ColdFusion default cacerts file contains
information about many certificate granting authorities. If you must update the file with additional information, you
can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For
example, enter the following:
keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq
The keytool utility initial keypass password is "change it". For more information on using the keytool utility, see the
Sun JDK documentation.
Once ColdFusion establishes secure communication with the server, it must provide the server with login credentials.
You specify the login credentials in the
that the login credentials are valid, ColdFusion can access the directory.
Using LDAP security
To use security, first ensure that the LDAP server supports SSL v2 security.
Specify the
tag
cfldap
secure
secure = "cfssl_basic"
For example:
<cfldap action="modify"
modifyType="add"
atributes="cn=Lizzie"
dn="uid=lborden, ou=People, o=Airius.com"
server=#myServer#
username=#myUserName#
password=#myPassword#
secure="cfssl_basic"
port=636>
The
attribute specifies the server port used for secure LDAP communications, which is 636 by default. If you do
port
not specify a port, ColdFusion attempts to connect to the default, nonsecure, LDAP port 389.
Application security
To ensure application security, prevent outsiders from gaining access to the passwords that you use in cfldap tags. The
best way to do this is to use variables for your
encrypted application page. For more information on securing applications, see
tag
cfldap
username
attribute as follows:
and
username
Last updated 8/5/2010
and
attributes. When the server determines
password
attributes. You can set these variables on one
password
"Securing
tag
cfldap
Applications" on page 339.
475
Advertisement
Table of Contents
