|
|
Posted by Gordon Burditt on 10/12/37 11:39
>I am considering a large project and they currently use LDAP on MS platform.
>It would be moved to a LAMP platform. OpenLDAP is an option though I have
>not used it before. I do feel fairly confortable with my ability to use
>SESSIONS for authentication and access control.
>
>Would it better to learn and use LDAP or can you REALLY have just as secure
>authentication and access control using Sessions?
This question seems a lot like "are you going to use roads or a
motor vehicle to go across town"? There's a good chance you will
want both.
LDAP as described here is functioning as a database of valid users
and passwords, and a method to check access. Alternatives might
include a MySQL database of users and passwords, a flat file, a
RADIUS server, or something hardcoded into code.
Issues like whether the passwords are encrypted when stored or
encrypted when transmitted are implementation details. If you want
it "secure", you have to describe the threat model. Is the problem
traffic sniffing? (encrypt passwords when transmitted) Or an
employee who walks off with a copy of the database (encrypt passwords
when stored). Sometimes it's not practical to do both.
You also need something that allows or disallows access to particular
pages. It also has the problem of grouping a set of accesses into
a "login session" as it is undesirable to make the user enter a
password on *every* page, and checking on every access can be
inefficient. PHP code with sessions is one way to do this. Apache
HTTP authentication is another (although it has disadvantages, like
not having a "logout" function). You can also use PHP code with
cookies. Or check IP addresses.
Gordon L. Burditt
Navigation:
[Reply to this message]
|