CFLDAP: JRun vs. JBoss gotcha
Posted by Joe Rinehart at 5:15 PM
5 comments - Categories:
ColdFusion MX | Best Practices
One of the teams I'm working with right now is in the process of moving an application that was developed on CF7 + JRun to a CF8 + JBoss deployment stack. Overall, it's been pretty smooth, but we've found one gotcha.
Summary for <cfldap /> pros:
The error message sent back from the LDAP authentication attempt differs, so if you're testing what went wrong based on the error message / error code, you'll need to change what you're testing.
Details:
When using the <cfldap /> tag for authentication, the underlying LDAP implementation throws an error when username and password are invalid.
Basically, you have to try/catch your authentication. The most easily Google'd example of this results in a <cfldap /> example shown in a recently defunct ColdFusion "journal" to which I'd rather not link. It looks like this:
<cfldap action="QUERY"
name="AuthenticateUser"
attributes="givenname,samaccountname,dn,cn,mail"
start="dc=adtest,dc=com"
maxrows="1"
scope="subtree"
filter="(&(objectclass=user)(samaccountname=#form.cfusername#))"
server="ns1.adtest.com"
username="#form.cfusername#@adtest.com"
password="#form.cfpassword#">
<cfset LoginMessage = "User Authentication Passed">
<cfcatch type="any">
<cfset LoginMessage = "User Authentication Failed">
</cfcatch>
</cftry>
That's not a very good way to do it: it considers all errors thrown during an authentication request equivalent. Handling the "invalid password" error would be much different than handling a "LDAP server isn't online" error: one should notify the user, the other should notify the user and set off a pager.
To that end, my use of LDAP authentication looks more like this:
<cfldap ... />
<!--- Invalid password or username --->
<cfcatch message="Inappropriate Authentication">
<!--- Do stuff --->
</cfcatch>
<cfcatch message="Connection to LDAP server failed.">
<!--- Do more serious stuff --->
</cfcatch>
</cftry>
On JBoss, instead of "Inappropriate Authentication," you get "Authentication failed:[LDAP: error code 49 - Invalid Credentials]", which obviously threw our code for a loop.
Conclusion
Literals like these should be configured outside of code (yes, I slopped and used a magic string), and they're likely to change between environments.
Damon Gentry wrote on 10/18/07 7:31 PM
Great post Joe. I'm in the process of migrating CF7+JRun to CF8+JBoss, and we use CFLDAP. I'll be sure to tuck this little nugget away.