Overview of the LDAP user authentication process

The LDAPLoginModule plug-in handles logins that are authenticated against an LDAP directory.

To ensure a high level of security, this section assumes that X.509 certificates are required from users to identify them.

The procedures below use SSL to illustrate how you can combine the LDAP authentication and SSL features. Keep in mind, however, that using SSL during LDAP-based user authentication is completely independent from the user authentication procedure itself. Of course, you have to use SSL if the useSSL parameter has been set in the Access Control configuration file.

The general flow of the user authentication process via an LDAP directory is as follows:
  1. Obtain the User Information: The user establishes connection to the application server and gives an X.509 certificate to the server. The application extracts the user identity from the user’s X.509 certificate. (Note that JSP front-ends can use the Java X509Certificate class methods.) Up to this point, no Endeca software has been used.
  2. Instantiate an MDEX Engine Connection Object: The Presentation API AuthHttpENEConnection constructor is used to instantiate an AuthHttpENEConnection object that will be used to connect to the MDEX Engine.
  3. Query the LDAP Server: The AuthHttpENEConnection class has a login method that is used to connect to and query an external LDAP server to authenticate the user. If the LDAP directory has so been configured, the results can also provide the user’s group information. The Endeca Access Control System automatically creates an entitlement filter for the user based on this group information.
  4. Make a Secure MDEX Engine Query: The Presentation API AuthHttpENEConnection class has a query method that is used to make a query to the MDEX Engine that limits the user’s access to what is specified in the entitlement filter.

These steps are described in detail in the following sections.

Note: User authentication via an LDAP directory is supported by the Java and .NET versions of the Endeca Presentation API. All procedures apply to both versions, unless otherwise noted.