如何离线使用 LDAP 凭据?

发布于 2024-07-14 20:29:00 字数 975 浏览 8 评论 0原文

我想使用 LDAP 服务器(可能是 Apache 目录)来管理应用程序的登录和凭据。 有时,应用程序需要在没有连接到 LDAP 服务器的情况下离线工作(在笔记本电脑上)。

在本地复制凭据的最佳方法是什么?

我已经考虑过:

  • 使用Mitosis 在笔记本电脑上复制 LDAP 服务器。

    但这将是一个相当“沉重”且复杂的解决方案。 而且有丝分裂似乎还没有完成。

  • 将凭据导出为可存储在笔记本电脑上的 LDIF 文件。

    但我需要一种方法来检查 LDIF 文件是否确实来自 LDAP 服务器(该文件应包含一种签名)。 此外,我想拒绝超过一周没有更新的 LDIF 文件。 如果我能够避免自己实施签名和年龄检查,那就太好了。

还有其他可以帮助我的想法或工具吗?

编辑编辑:我查看了 Kerberos,因为 Java-Kerberos-API 的文档似乎说可以在本地缓存中使用缓存的票证,我我认为这对我来说可能是一个解决方案。 此外,Kerberos 可以作为插件添加到 Apache Directory。 但 Kerberos 缓存存储解密的票证(旨在与其他应用程序共享它们)。 我需要票证的加密版本才能在离线会话期间检查用户密码。 结论:Kerberos 没有为我的问题提供简单的解决方案。

I would like to use an LDAP server (probably Apache directory) to manage logins and credentials for an application. From time to time the application needs to work offline (on a laptop) without a connection to the LDAP server.

What is the best way to replicate the credentials localy?

I have already thought about:

  • Using Mitosis to replicate the LDAP server on the laptop.

    But it would be a quite "heavy" and complicated solution. Moreover Mitosis seems not be be finished yet.

  • Exporting the credentials as LDIF file that could be stored on the laptop.

    But I would need a way to check that the LDIF file actually comes from the LDAP server (The file should include a kind of signature). Moreover I would like to reject LDIF files that haven't be updated for more than a week. It would be nice if I could avoid implementing signing and age check myself.

Any other ideas or tools that could help me?

Edited Edit: I had a look at Kerberos because the documentation of the Java-Kerberos-API seems to say that it is possible to use a cached ticket in a local cache and I thought this might be a solution for me. Moreover Kerberos can be added as plugin to Apache Directory.
But the Kerberos cache stores decrypted tickets (aiming at sharing them with other applications). I would need the crypted version of the ticket to be able to check the user password during an offline session. Conclusion: Kerberos doesn't offer a simple solution to my problem.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

青衫儰鉨ミ守葔 2024-07-21 20:29:00

知道如果用户必须在线登录一次才能离线登录,请考虑以下算法:

  1. 用户向您的应用程序提供(用户名 + 密码)
  2. 应用程序尝试联系 LDAP 进行身份验证
    • 在线工作? (例如连接成功)
      1. 应用程序使用(用户名 + 密码)针对 LDAP 进行身份验证
        • 身份验证成功?
          1. 应用程序将(用户名)哈希(密码)存储或更新为本地安全的(cached_credentials)存储
          2. 应用程序将通过身份验证继续进行 [[STOP]]
        • 身份验证失败?
          1. 应用程序以未经身份验证的方式继续(凭据不正确)[[STOP]]
    • 离线工作? (例如网络错误)
      1. 应用程序尝试从本地安全存储中检索(用户名)(cached_credentials)
        • (cached_credentials) 是否存在并且(1 周)更新?
          1. 应用程序将(cached_credentials)hash(password)进行比较
            • 匹配?
              1. 应用程序将通过身份验证继续进行 [[STOP]]
            • 没有匹配?
              1. 应用程序以未经身份验证的方式继续(凭据不正确)[[STOP]]
        • (cached_credentials) 不存在(1 周)晚?
          1. 应用程序以未经身份验证的方式继续(网络错误)[[STOP]]

这是(或曾经是,IIRC),由顺便说一下,Windows NT+ 使用相同的模型对域控制器进行用户身份验证。 登录后,将尝试对域控制器进行身份验证并创建或更新用户配置文件的本地(缓存)版本。 如果域控制器不可用,系统会提示用户根据本地(缓存)配置文件(如果存在)中捕获的凭据继续进行身份验证。


编辑

  • 是的,从本质上讲,这就是与本地复制 ldif 文件相同的解决方案,只不过您在离线时不必解析 ldif。 :)
  • 据了解,您可以在缓存中存储任何附加属性(权限等)。
  • 还可以理解,“安全存储”至少是经过签名的。 :) 您可以使用 SHA-1 散列和秘密轻松完成此操作,或者您可以使用您的平台上可用的成熟加密提供程序(或在 Java 中,如果使用 Java。)您不需要加密它,只要因为里面没有存储任何秘密信息。

Knowing that it will be probably ok if the user have to log on once online before being able to log on offline, consider the following algorithm:

  1. user provides your application with a (username + password)
  2. application attempts to contact LDAP for authentication
    • working online? (e.g. connection successful)
      1. application authenticates against LDAP using (username + password)
        • authentication succesful?
          1. application stores or updates hash(password) as (cached_credentials) for (username) into local secure storage
          2. application proceeds as authenticated [[STOP]]
        • authentication failed?
          1. application proceeds as non-authenticated (incorrect credentials) [[STOP]]
    • working offline? (e.g. network error)
      1. application attempts retrieve (cached_credentials) for (username) from local secure storage
        • (cached_credentials) exists AND more recent than (1 week)?
          1. application compares (cached_credentials) against hash(password)
            • match?
              1. application proceeds as authenticated [[STOP]]
            • no match?
              1. application proceeds as non-authenticated (incorrect credentials) [[STOP]]
        • (cached_credentials) does not exist OR less recent than (1 week)?
          1. application proceeds as non-authenticated (network error) [[STOP]]

This is (or was, IIRC), by the way, the same model employed by Windows NT+ for user authentication against domain controllers. Upon login an attempt is made to authenticate against the domain controller and create or update the local (cached) version of the user profile. If the domain controller is not available, the user is prompted to proceed with authentication against the credentials captured in the local (cached) profile (if one exists.)


EDIT

  • Yes, this is, in spirit, the same solution as copying an ldif file locally, except that you do not have to parse ldif when you're offline. :)
  • It is understood that you can store any additional attributes (permissions, etc.) in your cache
  • It is also understood that 'secure storage' is at least signed. :) You can do this easily enough with a SHA-1 hash and a secret, or you can use full-fledged cryptographic providers available on your platform (or in Java, if using Java.) You do not need to crypt it as long as no secret information is stored inside.
苄①跕圉湢 2024-07-21 20:29:00

这是我决定使用的解决方案(我已经在对我的问题的编辑中描述了它,但我希望能够接受“关闭”问题的答案):

由于我还没有找到其他解决方案,所以我决定使用 LDIF 导出,在文件开头添加时间戳作为注释,然后对文件进行签名。 为了对文件进行签名,我计算了文件的哈希值 (SHA-1) + 密钥。 签名作为注释添加在文件的开头。 为了检查签名,我删除了签名文件的第一行并重新计算哈希值。

Here is the solution I decided to use (I have already described it in an edit to my question, but I would like to able to accept an answer to "close" the question):

As I have not found another solution, I decided to use an LDIF export, add a timestamp as comment at the beginning of the file and then sign the file. To sign the file I calculate an hash value (SHA-1) of the file + a secret key. The signature is added as comment at the beginning of the file. To check the signature I remove the first line of the signed file and recalculate the hash value.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文