Situation: I manage a hosted ASP.Net application that employs winform authentication. The application has role based security, and access control list to various assets. Multiple customer use the same application. Some but not all customers have asked for the application to authenticate users against their LDAP. Presumably to spare their users from having to log in, or to keep their password and account names in sync.
Questions: On two levels i am wondering how this could be done. Level 1 - can i even do such a thing over the internet? If so, what is required. Level 2 - How am i to manage enrollment, roll and ACL for users authenticated this way outside of my application?
SharePoint supports this type of authentication through the use of a custom Membership & Role provider. In SharePoint 2010 this is called Claims Authentication.
The Membership & Role providers are responsible for communicating with the directory store (whether it be SQL, AD, LDAP or other). Membership will do the heavy lifting for authentication (is this person who they say they are). Role will do the heavy lifting for authorization (what groups does this user belong to).
SharePoint uses a local database that maps Roles to an ACL. So at runtime SharePoint will authorize a user request using information from the Role provider and from its internal database (user must have Role X to access resource Y).
So I believe you will need to follow a similar pattern for your application.
Beware that you could run into performance problems making LDAP calls to a remote system in real-time. So you will probably want to have some way of caching user roles from the role provider in memory.