4 Replies Latest reply on Jul 3, 2007 4:17 AM by Robert Hirst

    LDAP authentication

    portuguesedanny Level 1
      Hi All,

      Is it possible to have a user authenticate to an LDAP server from Flex app?
      Ideally it would be from the flex app via amf to the ldap server...

      If so any pointers on how I would go about doing this.


        • 1. Re: LDAP authentication
          jtswork Level 1
          I also need this capability. It looks like you should be able to leverage the authentication on the browser and application server, as long as the app server has an LDAP authentication policy. It would seem that you just have to get Flex to POST to j_security_check the username and password. I've been looking for examples of this but no one seems to be doing it this way... perhaps for a good reason?
          • 2. Re: LDAP authentication
            Robert Hirst
            I had the need to authenticate users against an Active Directory, and had the option of using LDAP. But the way I found best was on Tomcat was using the JCIFS library and patching into NTLM to authenticate against an Active Directory, which means users on the domain using IE don't have to type a password.

            I then make sure the Flex app is served over SSL and have a customised index template which passes the authenticated user to Flex as a parameter.

            The upshot is that on that users on the local network will be instantly authenticated, and remote users see a secure login prompt where they enter their domain password. The login box is the standard browser dialog, so it's not pretty, but it does the job for me.

            If you aren't using Active Directory, this may not be of use to you, but if you are and you want a few tips then reply here or message me with any problems you encounter.
            • 3. LDAP authentication
              jtswork Level 1
              Thanks a lot for the reply!

              My requirement is to provide the Flex app publicly, and allow the user to log in from the Flex app itself. Then I have to get the user's role to configure the Flex app to show specific content. I doubt this is the best way to go about doing something like this, but hey, these are my requirements and I can't change them.

              So from WITHIN the Flex app, users who haven't logged in will get a certain amount of content that is not user-specific. Once they log in, they will be able to access their private data. Basically what it's doing is taking the entire web presentation and putting it into Flex.

              I am hoping I can leverage the authentication on the app server itself (we're running WebLogic Server 10) and just hook it into the Flex app by having it POST to the login form with the j_security_check action. I've been looking around for someone else that's doing that, but it doesn't seem like anyone is... probably because it's a "bad" way of having users log in. Unfortunately, Flex Data Services are not an option to me at this point. I suppose if there's a really strong argument for them, I can convince the powers that be to allow me to use them, but for now, I am trying to find another way.
              • 4. Re: LDAP authentication
                Robert Hirst Level 1
                Well, Flex Data Services would probably be a good way, by restricting destinations based on role... but if you don't want to go down that route, then I'm sure there must be some method which works.

                The approach which appears to look most promising to be on paper (at least according to API specs) is to try and pass Authentication HTTP headers to the request for the navigateToUrl(..) method, so that when users hit login their browser will pass the headers containing their username and password.

                I notice in the API specs there is a list of HTTP headers which can't be sent, and that Authentication isn't listed one of them, however when I've tried setting that variable it seems to fail. It may have been my code at fault, but I haven't had much time to spend on it.

                So sending a POST to a form based login does sound like a promising alternative, and one way you might be able to do this is using navigateToUrl(..) technique with the POST vars set, but I haven't seen any examples of this working.

                I really think that the Data Services route is worth investigating, or perhaps one of the alternatives such as OpenAMF or WebORB which I confess I haven't had time to try out yet myself.