Vulnerability in EPiServer.Forms
We are about to start a new project where the customer needs an Active Directory integration to EPiServer 7 CMS. I haven't worked with AD Membership Provider before and was wondering the following things:
* Does EPi CMS authenticate against AD with LDAP on each login?
* Does EPi CMS replicate the users to SQL Server Database or are the credentials just cached?
* What happens when the connection from the EPiServer to AD disconnects - will the authentication work if the cache is up and running?
* If you set the CacheExpiration to lets say 12 hours - does it mean that the cache will not be refreshed during this time or is it updated incrementally? i.e. The user changes the account password - does he need to wait till the cache is refreshed - in this case 12 hours in order to login with the new password?
* What is cached - only the users who have logged in or all the credentials that are under the defined membership provider location?
Take a look at this blog post from Fredrik Haglund and first decide if you really want to use the LDAP based ActiveDirectoryMembershipProvider instead of the WindowsMembershipProvider. It also answers most of your questions.
Thank you - this did indeed answer most of my questions.
Great! If you use ActiveDirectoryMembershipProvider you usually want to inherit it and fix the wildcard problem described here:
Also when you have your own implementation you can easily add your own caching code to the methods of choice in order to reduce LDAP traffic.
For troubleshooting, feel free to check out