February 12, 2003
Getting User Management off our Back with LDAP
I'm in the final stages of completing an LDAP integration project that has been well worth the programming time and migration efforts.
For years we have maintained a user table with personal information about each user (id,name,email, password etc). All the typical challenges of maintaining users applied, reset passwords, email address changes. The bigger challenge was getting the lists of users from the registrars office and creating all the accounts, getting passwords out etc. Big headache at the start of each school year.
So about a year ago Tufts rolled out "Enterprise Authentication," an LDAP service that tapped into each of the university's systems and contained "the source" of user information. We were anxious to get onto that bandwagon.
I spent a month or so modifying our code and creating a few modules that could be tacked on to our authentication process (which was hard coded to check against MySQL). After the modifications we were able to slip any number of modules into our configuration and the system would walk through each one. After this was done we slipped an LDAP module (which uses OpenLDAP) in front of our MySQL module and relieved ourselves of most of the user-management responsibilities.
The last piece of this is getting authorization information from LDAP. Up to now we've only verified that the user can authenticate on LDAP and let them into our system either as an existing user with an authorization set, or as a public user with access to limited resources. With this final piece we will pull information from LDAP that will allow us to assign a role to the user, which comes with a set of authorization permissions.
Posted by mike at February 12, 2003 9:23 AM