LDAP用户和Web应用程序 [英] LDAP users and web application
问题描述
我们构建了一个Web应用程序(在Intranet上运行),该应用程序为其用户依赖LDAP目录(活动目录).与其在应用数据库(MySQL)中使用用户"表与目录"用户不同步",我们使用LDAP目录就像使用数据库一样.
We built a web application (running on our intranet) that relies on our LDAP directory (active directory) for it's users. Instead of 'syncing' the directory users with say a 'user' table in our application database (MySQL) we use the LDAP directory just like we use databases.
在从MySQL拉出的实体和LDAP用户之间创建关系时,我们使用用户GUID(这是唯一的字符串).
When creating a relation between an entity pulled from MySQL and an LDAP user we use the user GUID (which is a unique string).
我们的目录永远不会有超过300个用户(从来没有).我们安装了专用的DC(域控制器)来满足我们的应用程序要求.网络延迟不是问题.
Our directory will never have more than 300 users (never). We installed a dedicated DC (Domain Controller) to serve our application request. Network latency is not an issue.
在我们的代码中,我们可以替换几行代码,从使用LDAP切换到使用MySQL和用户"表(数据映射器很棒)
In our code we could replace a few lines of code to switch from using LDAP to using MySQL and a 'user' table (data mappers are awesome)
您要执行此操作(不同步用户"表)吗?您对此有何反对意见(这样做的方式)?
Would you do this (no 'user' table syncing)? What are your arguments against this (way of doing it)?
修改
我们确实使用了'user'表,但是它非常简单,因此sql join并不是一个真正的问题,我们知道使用 full 用户表将具有更好的性能但正在寻找其他反对使用LDAP的论点
We do use a 'user' table but it's very simple so sql joins are not really a problem, we know it will have better perfomance with a full user table but are looking for other arguments against using LDAP
CREATE TABLE `user` (
`_id` int(4) unsigned NOT NULL AUTO_INCREMENT,
`guid` varchar(255) NOT NULL,
PRIMARY KEY (`_id`)
);
推荐答案
我不会这样做.除了每次登录时输入的密码外,我都会同步用户数据.这样,您就可以在其数据库中存储应用程序的当前数据,并且可以使用数据库联接功能来获取所有相关信息,而无需查询其他系统.我只会使用LDAP进行身份验证,也许只使用基于LDAP组的授权模型.
I would not do it. I would sync the users data except for the password on every login. That way you have the current data of your application in its database and you can use your databases join features to get all the relevant information without going to query different systems. I'd only use LDAP for authentication and perhaps a model of LDAP-Group based authorization.
- 这样,您无需麻烦密码和任何密码 政策.
- 登录后,您完全独立于LDAP服务器.
- 缺少的LDAP服务器不会影响仅已登录的新用户 登录将不起作用.
- That way you do not need to hassle with passwords and any password policies.
- And after login you are completely independent from the LDAP-server.
- A missing LDAP server won't affect already logged in users only new logins would not work.
即使objectGUID是唯一的,它在整个LDAP中也是唯一的,而不一定是您的应用程序.
And even though the objectGUID is unique it is unique throughout your LDAP and not necessarily your application.
我们经常遇到这样的问题:在LDAP中,我们是新创建的用户,而不是在用户名更改时(由于婚姻或离婚)而被重命名.但是在这种情况下,您可能不想在应用程序中创建新用户.使用您自己的用户表,您可以简单地为用户更改ObjectGUID,并且用户的应用程序内部ID保持不变,但是链接到LDAP中的一个全新用户.
We often have the issue that in LDAP a user us newly created instead of renamed when the users name changes (due to marriage or divorce f.i.). But you might not want to create a new user in that case in your app. With your own users table you can simply change the ObjectGUID for a user and the users app-internal id stays the same but links to a completely new user in LDAP.
这篇关于LDAP用户和Web应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
