I suggest you ...

Advanced LDAP Support

Plastic currently only supports basic LDAP integration.

In real-world scenarios, things aren't as clear cut and simple.
I propose extending LDAP support in the following ways:

1. Support secure LDAP (LDAPs). Including self-signed certificates on the LDAPs server.
2. Ability to specify Root DN.
3. Ability to specify User search Base.
4. Ability to specify User search filter (ie, something like sAMAccountName={0}).
5. Ability to Specify Group Search Base.
6. Ability to Specify Group Search Filter ((& (cn={0}) (objectclass=group) ))
7. Group Membership definitions (can optimize with memberOf property).
8. Configurable Local Caching of credentials, TTL etc ....

38 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Chong Yan shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    6 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Chong Yan commented  ·   ·  Flag as inappropriate

        #7: I've noticed most LDAP connectors determine group membership by running additional queries after the user login query. This is pretty inefficient. Group membership can be inferred by simply parsing the memberOf property that comes with the login query (This is not standard on all LDAP servers, but tends to be on AD servers by default).

        #8: You probably don't want to query the LDAP server repeated for the same user logins. You can cache the credentials locally, and allow for much more responsive logins. The TTL setting allows you to fine tune how long to keep these cached credentials.

      Feedback and Knowledge Base