Information Technology Reference
In-Depth Information
without fear of conflict with any previously assigned identifier
36
. This is what
you will use to map a user record in the directory to the corresponding
record in the relational database (see figure below).
Fig 39: Mapping directory to database
As part of its Access Management function, CAS will authenticate the user's
credentials (cn and userPassword values) against the directory, then use the
uid (User UUID) attribute of the directory user object to retrieve any other
required attributes of the user from the relational database
37
.
Tip 5
: Try and implement password policies at a per-user level
Your organisation's security policy may specify different rules governing
passwords for B2E users, B2B users and B2C/B2B2C users
38
. Most directories
only support password policies at an “ou” node level (which then affects
user nodes below that root node), but as we have seen above, sometimes
we are forced to place B2B and B2B2C users under the same “ou” sub-tree,
36
A UUID is a 128-bit string, and the chances of two randomly generated UUIDs
being the same is about 1 in 10
33
. These are such stupendous odds (and modern
pseudo-random number generation algorithms so reliable), that you can blindly
insert records in a table without checking for duplicates. If someone you know insists
that you must check for duplicate UUIDs before inserting new records, they probably
don't understand how big a number 10
33
really is, and are probably disappointed that
the Universe has “only” 10
80
atoms! The authors have learnt not to argue in such
situations.
37
The query may require a SQL join to map the User UUID to the primary key used
within the relational database, because tables within the database only reference the
local primary key.
38
Internal users may need to change their passwords every month, while customers
may be allowed to keep theirs for 3 months. Internal users may not be allowed to
reuse the last 10 passwords, while customers may not have such a restriction, etc.
