0

I'm about to build a new account management system for my company. The users is external customers accessing some of our web applications. Some users are internal operators accessing the same web applications, but with certain authority. The internal operator is also using java-applications accessing a SQL-database for information retrieval.

Requirements

  • If the user has forgot his/hers password, it shall be possible for the user to recieve an email with a reset link, containing a unique id, that allows the user to enter a new password by following the link. The unique id shall be part of the AD-system and also have a "valid-to" timestamp.
  • f we recieve a list with 100000 users that shall be part of the system, it should be manageable to add them in a automatic fashion.

I'm new to Active Directory and wonder if it's suitable for these requirements, or will it be easier to manage with any other system?

I will also use CAS for authentication and single-sign-on for the web applications.

Filip
  • 327
  • 1
  • 8
  • 18
  • 1
    Depends a lot on the applications. Custom web apps only - rather use both AD and a home made list (to avoid licensing AD for external users). It really depends. AD CAN do that, whether it is efficient is something we can not answer without a LOT more information. AD licensing gets rather expensive for external users - requiring CAL of some sort. – TomTom Jan 03 '13 at 10:36
  • What AD does not - and NO sensible system does - is allow a user to retrieve his password. They all allow a reset, but they do NOT store the password in a retrievable form. That is dangerous, it basically totally invalidates the password. NOONE except the user should know the password, the system does not have to know it to know whether the user entered the correct one. Security 101: use a heavily salted hash of the password in the database, NEVER store the password. – TomTom Jan 03 '13 at 10:38
  • Thanks for the comments. What do you mean by "licensing AD" and the "home made list"? Regarding the retrieval of a password - I just want the user be able to reset the password to a new one, by following a reset-link. So it is possible to assign a unique id to a user account to identify that the user of the account is allowed to reset the password to a new one, also with a valid-to timestamp? – Filip Jan 03 '13 at 11:19
  • 1
    From the end - yes, it is possible, any crappy Junior programmer can do. Users obviously have a unique ID (their Name) and can have a secret identifier for reset too. What I maean with "licneing AD" is that Active Directory has licensing requirements. They cost this funny Thing you may never have that is called "Money". For every user. So, depending how you use them, that gets EXPENSIVE FAST. – TomTom Jan 03 '13 at 11:21
  • Ok, I understand. Is there any other suitable system that would be better to use, which is also free? Today we use MSSQL for storing user credentials. We want to create a new "database" that only contain user-accouts, that will be a centralized user-account-database. – Filip Jan 03 '13 at 11:29
  • Well, yes. Roll your own. If your time has no value - then the cost is zero. Otherwise - NOTHING is free (Time is money). It really depends on your architectural setup. Standard for web apps is roll your own (templates and structure are part for a standard app in asp.net). – TomTom Jan 03 '13 at 11:39

0 Answers0