LDAP, multiple directories, enterprise

Hi Magnus

Am not completely clear what your question is, but..

Making ldap (and database) queries from a website is stateless. Each call will require authentication - as in the rails generated database.yml file.

You could have a model that authenticates the users against ldap and caches relevant information - role, name, etc, etc. So it's available for the lifetime of their session.

At a large bank, I worked on an active directory reporting system. There was *some* real time lookups, but most of the reporting work was staged a sql database. We had continuous jobs loading the database from the active directory.

The data wasn't up to the minute fresh, but it was good enough for our needs. The advantage was that using a sql database was a lot easier to create the complex reports that were needed.

For you, it will depend on what data you need - only ldap objects? other data created by the users?

If the website is driven by a database (as opposed to ldap), you'll also have a much smoother development with ActiveRecord, etc


Downsides: every user have to come up with a password the first time they log in.

For this reason, a lot of businesses (with money to spend) are using single sign on systems. i.e. the user can log in one time and get authenticated against a bunch of systems in one go.

Something like this would definitely do what you need, but also sounds like overkill - in cost and time. I'd keep it as simple as you can. Probably meaning that you wold have your own authentication environment and not worry about connecting to others.

Good luck!

Isn�t the use of SSO (in our case) a way so the user don�t have to login again (if they are logged in at their own municipality), but in the background our server still need access to a user-catalog of some kind.

Exactly that, your server would have to be a part of the same authentication realm as the municipality.