You probably want to build your script in such a way that this authentication piece of it is a cleanly-separate module, because it may well be that in other (e.g. "corporate") scenarios, you might need to use LDAP (nee OpenDirectory). Corporations, for fairly obvious reasons, like to be able to centrally manage the authentication/authorization processes, and LDAP is a worthy standard.
Furthermore, LDAP integration is available at the web server level, such that you can restrict access to an entire web-site based on the LDAP-known status of the visiting (internal, corporate ...) user. This can greatly simplify the design of an internal web-site because the site no longer has to determine whether the visitor is authorized to be here ... "if he's not authorized to be here, he isn't" ... and the site can also rely upon the fact that LDAP information will be available for anyone who is here. (Just in case, your script should redirect, and thus evict, anyone whose LDAP credentials cannot be retrieved ...)
Your web site can query various attributes of the user to determine, as necessary, exactly what he should or should not be allowed to do ... and it can rely upon the information that is returned as being authoritative.
Last edited by sundialsvcs; 10-10-2012 at 01:13 PM.
|