Integrating ColdFusion Applications with Microsoft Active Directory--tutorial.jcwcn.com

The specification for the LDAP protocol was first published in 1992 by authors at the University of Michigan as a common language that clients and servers could use to communicate directory information. The directory information is stored in a hierarchical, tree-structured database on the server and is most often used to store information about people. It is also commonly used to store information about organizations, security certificates, or resources such as files or network devices. Because of the nature of a directory, it is generally used to a much greater extent to read data from the server than to write or update data. The specification for LDAP was designed with this in mind. The result is that an LDAP server will generally offer greater performance in some applications than a conventional relational database.

The LDAPv3 specification is the most recent iteration of the protocol and is defined in RFC 2251. This specification allows for new features such as schema extensibility and security. Microsoft's Active Directory conforms to this specification.

Active Directory is an essential component of the latest generation of Windows network architecture. It offers a directory service that allows organizations to centrally manage and share information on network resources and users. It also acts as storage for Windows network security information. Windows machines serving as domain controllers on a network each run an instance of the Active Directory services and hold a copy of the directory database. All of the objects stored in the Active Directory are accessible via LDAP using standard naming conventions. Active Directory supports LDAPv2 and LDAPv3, and in turn, recognizes the RFC 1779 and RFC 2247 naming conventions.

Authentication Example

One very common integration challenge for ColdFusion programmers is to authenticate Web application users against a Windows 2000 or XP domain. There are a number of ways this can be done.

One way is to use the Advanced Security facilities of ColdFusion and the CFAUTHENTICATE tag. See Chapter 19, page 360 of the ColdFusion 5 Developing ColdFusion Applications manual and Chapter 5, page 79 of the ColdFusion 5 Advanced ColdFusion Administration manual for more information on how to implement this.

Because the domain users are stored in Active Directory, another way to do it is to leverage the LDAPv3 interface and ColdFusion's CFLDAP tag. Any Windows 2000 or Windows XP domain controller will listen for regular LDAP connections on port 389. By default, anonymous connections are denied, but, also by default, all domain users have permission to bind to the LDAP server. With this information in hand, it's possible to authenticate a user by connecting to the domain controller with CFLDAP using the user's username and password as attributes. If the CFLDAP connection succeeds with the passed credentials, you know that those credentials are valid. If the connection fails, you can assume that the credentials are no good and deny access.

The following code serves as an example:


<cftry>
   <cfldap action="QUERY"
      name="auth"
      attributes="cn"
      start="cn=users,dc=macromedia,dc=com"
      server="domaincontroller.macromedia.com"
      username="#form.username#"
      password="#form.password#">
   <cfset isAuthenticated="yes">	
<cfcatch type="ANY">
   <cfset isAuthenticated="no">
</cfcatch>
</cftry>

The isAuthenticated boolean variable indicates whether or not the user's credentials passed from a form are valid in the domain.

Note: Due to the sensitive nature of the security credentials, it is highly recommended that SSL be used to encrypt the HTTP communication and the LDAP communication. This would require installing a certificate on the domain controller to enable SSL LDAP connectivity on port 636. More information is available from Microsoft on how to enable SSL at http://support.microsoft.com/support/kb/articles/Q247/0/78.ASP. Communicating with LDAP over SSL would also require a modification to the CFLDAP tag in order to enable secure communications. For more information on using CFLDAP and SSL, please see the reference for the CFLDAP tag on page 167 of ColdFusion 5: CFML Reference.

Intranet Phone Directory Example

Another common integration task is to allow access to corporate personnel information stored in the Active Directory via a corporate intranet. A very simple application of this would be a corporate phone list. One of the key advantages of using Active Directory is that it can provide the organization with a single, centralized location to store corporate information. In the case of the corporate intranet phone list, there is no need to create a second datastore for the Web application to hold a list of users and their phone numbers. Instead, the ColdFusion powered intranet can retrieve the information directly from the Active Directory.

Again, the CFLDAP tag is needed to leverage the Active Directory's LDAPv3 interface. In this case the user information is retrieved via LDAP in the form of a query object.

The following code example retrieves the data and displays it in a table:


<!--- Send LDAP Query to Domain Controller --->
<cfldap action="QUERY"
    name="results"
    attributes="sn,givenname,department,telephoneNumber,mobile,mail"
    start="cn=users,dc=macromedia,dc=com"
    filter="(&(objectclass=user)(Company=Macromedia Inc.))"
    server="domaincontroller.macromedia.com"
    username="#request.domainlogin#"
    password="#request.domainpassword#">
<!--- /*
CFLDAP notes:
   attributes- comma delimited list of data you want to return about each user
   start- the domain component (dc) will vary based on the name of your domain
   filter- objectclass=user only returns users (omits computers, groups, etc.)
     Company=Macromedia Inc. only returns users that have the "company"
       field populated.  Prevents accounts such as IUSR_MACHINENAME
       from being displayed.
*/ --->
<!--- Display results in a table --->
<table border="1">
   <tr>
       <th>Name</th><th>Department</th><th>Phone</th><th>Mobile</th><th>Email</th>
   </tr>
   <cfoutput query="results">
   <tr>
       <td>#sn#, #givenname#</td>
       <td>#department#</td>
       <td>#telephoneNumber#</td>
       <td>#mobile#</td>
       <td><a href="mailto:#mail#">#mail#</a></td>
   </tr>
   </cfoutput>
</table>

Active Directory Schema

In order to code queries to the Active Directory effectively, you'll need to know what the schema looks like. Microsoft provides access to this schema through the MMC Active Directory Schema snap-in. It's not installed with Windows 2000 by default, however. Instructions for installing it are as follows:

Log on as Administrator.
Insert the Windows 2000 Server compact disc into your compact disc drive, and then click Browse this CD.
Double-click the I386 folder, double-click Adminpak, and then follow the instructions that appear in the Windows 2000 Administration Tools Setup wizard.
Click Start, click Run, type mmc /a, and then click OK.
On the Console menu, click Add/Remove Snap-in, and then click Add.
Under Snap-in, double-click Active Directory Schema, and then click Close.
Click OK.
To save this console, on the Console menu, click Save. Once the snap-in is installed, you can view all of the attributes that are available for you to query. For example, if you expand objectclasses and select the user objectclass, you will see all of the available attributes of "user" in the right pane of the MMC. These are the attributes that you can use in your LDAP queries.

Employee Self-Service Example

Because the Active Directory stores all of the Windows network security information and is also accessible via LDAP, there are many possibilities for automating Windows network administration tasks by providing a secure Web interface using ColdFusion.

One example is updating a user's information stored in Active Directory. One application of this would be to provide a self-service application allowing users to update selected aspects of their own information. The following example shows how to update a user's telephone number.


<!--- update user's phone number --->
<cfldap action="MODIFY"
     DN="cn=#form.cn#,cn=Users,dc=macromedia,dc=com"
     attributes="telephonenumber=#form.officephone#"
     modifytype="REPLACE"
     server="domaincontroller.macromedia.com"
     username="#request.adminlogin#"
     password="#request.adminpassword#">

Other Methods

It's important to note that Active Directory is quite flexible in its implementation, and LDAP is not the only technology available that allows for integration with Web applications. Microsoft provides the Active Directory Services Interface (ADSI) which allows for access to objects in the Active Directory from various programming languages such as Visual Basic or C++. ColdFusion isn't able to directly call the functions needed to instantiate an ASDI object, but it is possible to write a COM object or C++ CFX tag that ColdFusion could use to access the ASDI interfaces. See www.microsoft.com/adsi/ for more information on ADSI.

Possibilities

Hopefully the examples above have given you a good flavor for what can be accomplished by integrating ColdFusion applications and Active Directory. More and more organizations are storing their vital personnel, resource, and security information in Active Directory, and it will be increasingly important for ColdFusion applications to be able to access and interact with this data.

discuss this topic to forum

[Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]