The summary follows below. See LDAP: Programming Practices for the full article.
Summary
- use LDAPv3
- use the UnboundID LDAP SDK. See the comparison matrix.
- do not use JNDI for new code
- avoid Spring LDAP for new code
- do not use threads with Net::LDAP (Perl)
- understand and use the root DSE
- use matching rules to make attribute value comparisons and distinguished name comparisons
- use connection pooling
- use secure connections only. The first operation on an unsecure connection should be
StartTLS. Administrators should not permit
any operation other than the StartTLS operation on an unsecure connection. - use application-specific accounts
- do not rely on the order in which attributes and entries are returned
- check for controls in responses and exceptions
- use the post read request control to
read back attributes after a modification or add - always supply a client-requested size limit and time limit
- use the authorization identity request control or who am i? extended operation to determine
the authorization state of a connection - where possible, use the password modify extended operation to change passwords
- always transmit passwords in clear-text on a secure connection so the server can check password quality and history
- do not rely on names or values or availability of operational attributes
- notify directory server administrators of access control requirements ahead of time
- if available, use the GetEffectiveRightsRequestControl
- use the most restricted search scope possible
- use base-level scope when a DN is known
- ensure that your application can handle referrals
- minimize or avoid vendor-specific code
- before transmitting a request control check that it is supported by the server by checking the
supportedControl
attribute in the root DSE - understand the
subschema
model and get information about attributes, objectClasses, matching
rules, and ordering rules from the schema. Some servers publish the schema location in the
subSchema
attribute in the Root DSE, when this is attribute is not available, applications
should search from the base object""
using subtree scope and filter(objectClass=subSchema)
- ensure your application can handle an unsolicited notification from the server
- understand attribute syntaxes, matching rules, and ordering rules
- avoid hard-coding distinguished names
- when using LDAP transactions, understand that the server can abort a transaction without a
client having requested the abort
Excellent advice for people getting into LDAP programming.
The unboundid SDK is indeed the best toolkit for Java. I’ve been using it since its first public release. Very well thought out in terms of API and superbly documented.
Vladimir
Nimbus Directory Services
Pingback: Searching for a newly created object fails in AD? - Programmers Goodies
Pingback: LDAP: Using ldapmodify « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Operation Purpose Request Control « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Using ldapsearch « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Matched Values Request Control « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Change Notification Using Persistent Search « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: Using Matching Rules to Compare Attribute Values « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP: In-Memory Directory Server using UnboundID LDAP SDK « Diaries, Triumphs, Failures, and Rants
Pingback: LDAP Attribute values and attributes are not ordered « Diaries, Triumphs, Failures, and Rants
Pingback: PHP: Building a New LDAP Extension « continuations
Pingback: An example of using an extensible match filter to select portions of a distinguished name « Diaries, Triumphs, Failures, and Rants