0

I'm a beginner with LDAP, and I want to use it in the future project with PostgreSQL database.

Suppose that I'll do the authentication with LDAP server, so the user table will not be inserted in PostgreSQL database, in the PostgreSQL database I'll have other tables that must be in relation with the identity of user (that will be retrieved from LDAP) so I have to add a column in each of this tables named uid that store the uid value of the user. Is my idea correct?

Improve this question
8
  • It is correct if it fits your requirements :) only you can answer that. Commented Dec 16, 2018 at 23:08
  • Yes. Make sense .As long as the reference key (e.g uid) is unique and will not be changed after it is created. The idea is to find a property in the ldap user entry that will not be changed ... Commented Dec 17, 2018 at 6:39
  • @Gabriel: yes it fits my requirements, as I said I'm beginner with LDAP so I search the best way to communicate it with other database. :) Commented Dec 17, 2018 at 7:57
  • 1
    I can't recommend anything. We use Active Directory at work, so that's all I've ever used. I only ask because different servers will work differently (for example Active Directory doesn't use the uid attribute) Commented Dec 17, 2018 at 13:50
  • 1
    I added an answer with some recommendations. Commented Dec 17, 2018 at 15:29

1 Answer 1

Reset to default
2

What you describe is perfectly fine. Just be aware that which attribute you use as the unique identifier depends on which LDAP directory you are using.

I really only know Active Directory, which does not use the uid attribute at all. AD has a few attributes that are enforced unique:

  • distinguishedName: Describes where the object is in the directory. It looks something like: CN=Gabriel Luci,OU=Users,DC=domain,DC=com. This is common to LDAP in general, but might be called something different in other LDAP directories.
  • sAMAccountName: This is commonly referred to as the "username". It must be unique on the domain, but it can be changed.
  • userPrincipalName: Uses the format [email protected]. This must be unique in the AD forest, but it can be changed (a "forest" is when there are multiple AD domains in the same organization)
  • objectSid: (usually just called the SID). It is stored as a byte array, but can be converted to a string that looks like S-1-5-32-##########-###########-##########-#####. This is what is used by Windows in security permissions to grant accounts permissions to files, etc. This cannot be changed.
  • objectGuid: A GUID that is automatically assigned when the account is created. This cannot be changed.

The first three are human-readable (they will usually have the person's name in it). The other two are not, but they also stay the same for the life of the object (if the person changes their name, the SID and GUID will still be the same).

Which one you use depends on your requirements. The distinguishedName is unique and allows you to bind directly to the object when you need to (as opposed to having to search for the sAMAccountName to find the account). But if you want something that will never change even if the person's name changes, then objectSid or objectGUID is best.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

very interested explanation ^_^ big Thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.