Yesterday I finally cracked an annoying problem I've been working on off and on since I came to Japan -- how to have you web app authenticate against ActiveDirectory. It wouldn't have been so hard except that our SysAdmin insisted it was absolutely impossible, would require buying another piece of hardware or two etc. etc. Of course, that's all totally untrue -- every AD server is an LDAP server. But man, LDAP, despite the "L" standing for "Lightweight", is the last of the dinosaur protocols. Everything is wrapped in five levels of obscurity and indirection with a verbose syntax. If you ever had any exposure to the OSI protocol stack or X.400 mail protocols you'll feel right at home. Should you be cursed to figure this out in your own network environment, start by downloading the Apache Directory Studio, it will save lots of time.
Expressions are the best part. When building a filter expression, you need to express a search query, not unlike SQL. Their solution is indeed logical but produces the oddest text since full-on LISP. It's a prefix notation where every level of the epxression tree is enclosed in parentheses. Thus, for "object representing a user whose account name is mary or bob and whose account is not expired" we get
(&(objectType=user)(|(aASAccountName=mary)(aASAccountName=bob))(!expire=*))
SQL has never looked so good.
No comments:
Post a Comment