LDAP: Programming Practices

The summary follows below. See LDAP: Programming Practices for the full article.

Summary

• use LDAPv3
• do not use JNDI for new code
• do not use threads with Net::LDAP (Perl)
• understand and use the root DSE
• use matching rules to make attribute value comparisons and distinguished name comparisons
• use connection pooling
• use secure connections only
• use application-specific accounts
• do not rely on the order in which attributes and entries are returned
• check for controls in responses and exceptions
• use the post read request control to ‘read’ back attributes after a modification or add
• always supply a client-requested size limit and time limit
• use the authorization identity request control or who am i? extended operation to determine the authorization state of a connection
• where possible, use the password modify extended operation to change passwords
• always transmit passwords in clear-text so the server can check password quality and history
• do not rely on names or values or availability of operational attributes
• notify directory server administrators of access control requirements ahead of time
• if available, use the GetEffectiveRightsRequestControl
• use the most restricted search scope possible
• use base-level scope when a DN is known
• ensure that your application can handle referrals
• minimize or avoid vendor-specific code
• before transmitting a request control check that it is handler by the server by using the root DSE
• get information about attributes from the schema
• ensure your application can handle an unsolicited notification from the server
• understand attribute syntaxes, matching rules, and ordering rules
• avoid hard-coding distinguished names
• when using LDAP transactions, understand that the server can abort a transaction without a client having requested the abort