I have a peculiar case to work on. We are using a proprietary product which supp

Question

I have a peculiar case to work on. We are using a proprietary product which supports LDAP integration.

However, it can be configured to use only one LDAP service. (most of the products are shipped that way).

Now, our customers want to login to this product with their own authentication authority.

So, the question is, Am I looking at single Sign-on?

We basically need some service which can sync all these authentication services (e.g. Windows Active directory, Tivoli access manager, Redhat Directory Server...and many more) and then integrate with our application.

Explanation / Answer

If your application is constrained to a single LDAP server and does not have its own pluggable authentication, you will need a directory server with a pluggable back end. This architecture enables a single directory server to access multiple types of account databases/directories and expose them via LDAP. I would recommend OpenLDAP for this purpose.

Since the three products you mention are implementations of LDAP and are generally compliant, you can proxy those services using OpenLDAP's Metadirectory backend.

For services which aren't LDAP-compliant, you can use the Perl/Shell backend. The Java API may be a more stable long-term solution, but you can quickly prototype solutions with Perl by creating a module for OpenLDAP and importing other open-source Perl packages to do the heavy lifting of authentication. This backend also allows executing external binaries via the shell.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.