473,570 Members | 2,856 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

open ldap authentication without redundant log-in

Hi folks,

I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.

I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.

On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.

I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan

Jul 17 '05 #1
5 2858
dm*******@yahoo .com wrote:
Hi folks,
<snip> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan

Ldap authentication isn't too hard to get working with Apache (I've just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having a
redundant login. It "may" be possible using IIS and I.E. but I wouldn't
know, I wont support them ;-) As far as I know, when you first fire up
the browser and point it at your web server the web server has no way of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at all.
You should always re-authenticate across applications. What's to stop a
user logging on to their terminal then walking away, allowing anyone to
access anything under their account?

Hope that helps?

Sacs
Jul 17 '05 #2
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

They're very anti-Micro$oft, so If I can find some reputable sources
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."

Thanks again,
-Dan
Sacs wrote:
dm*******@yahoo .com wrote:
Hi folks,
<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of LDAP users (or use the Apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log into their terminals in the morning. Then, when it comes time to use the intranet, they want it to recognize that they've already logged in, ascertain which group they belong to, and return only the appropriate content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so, how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point me in the right direction?

Thanks,
-Dan

Ldap authentication isn't too hard to get working with Apache (I've

just done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having a redundant login. It "may" be possible using IIS and I.E. but I wouldn't know, I wont support them ;-) As far as I know, when you first fire up the browser and point it at your web server the web server has no way of knowing who that user is. So they will need to re-authenticate (after which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at all. You should always re-authenticate across applications. What's to stop a user logging on to their terminal then walking away, allowing anyone to access anything under their account?

Hope that helps?

Sacs


Jul 17 '05 #3
dm*******@yahoo .com wrote:
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...

http://www.securitydocs.com/library/2998
"...dishone st and disgruntled employees top the list at about 80% as the
most likely source of attack"

http://securitysa.com/article.asp?pk...CategoryID=106

"Most security breaches do not originate from external hackers, viruses
or worms, but from employees who, according to Gartner, commit more than
70% of unauthorised access to information systems. They are responsible
for more than 95% of intrusions"

They're very anti-Micro$oft, so If I can find some reputable sources ^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."

That'd be the bidder suggesting an ActiveX control probably, no security
problems there. *cough*

Thanks again,
-Dan
Good luck, Dan!

Sacs


Sacs wrote:
dm*******@yah oo.com wrote:
Hi folks,


<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set
of
LDAP users (or use the Apache mod_ldap_auth to require a valid
user).
However, the client doesn't want a redundant log-in. They want to
log
into their terminals in the morning. Then, when it comes time to
use
the intranet, they want it to recognize that they've already logged
in,
ascertain which group they belong to, and return only the
appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understandin g of it, that any LDAP bind requires already knowing
the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or
point
me in the right direction?

Thanks,
-Dan


Ldap authentication isn't too hard to get working with Apache (I've


just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having


a
redundant login. It "may" be possible using IIS and I.E. but I


wouldn't
know, I wont support them ;-) As far as I know, when you first fire


up
the browser and point it at your web server the web server has no way


of
knowing who that user is. So they will need to re-authenticate (after


which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at


all.
You should always re-authenticate across applications. What's to stop


a
user logging on to their terminal then walking away, allowing anyone


to
access anything under their account?

Hope that helps?

Sacs


Jul 17 '05 #4
Good stuff, Sacs.

Thanks a bunch,
-Dan

Sacs wrote:
dm*******@yahoo .com wrote:
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

It's not just their employess, it's the cleaner, someone at reception

while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...

http://www.securitydocs.com/library/2998
"...dishone st and disgruntled employees top the list at about 80% as the most likely source of attack"

http://securitysa.com/article.asp?pk...CategoryID=106
"Most security breaches do not originate from external hackers, viruses or worms, but from employees who, according to Gartner, commit more than 70% of unauthorised access to information systems. They are responsible for more than 95% of intrusions"

They're very anti-Micro$oft, so If I can find some reputable sources
^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all
know it is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."


That'd be the bidder suggesting an ActiveX control probably, no

security problems there. *cough*

Thanks again,
-Dan


Good luck, Dan!

Sacs


Sacs wrote:
dm*******@yah oo.com wrote:

Hi folks,
<snip>

I'm new to LDAP. Based on what I've read so far, I'm 100% certain Icould build an authentication mechanism that uses an existing set


of
LDAP users (or use the Apache mod_ldap_auth to require a valid


user).
However, the client doesn't want a redundant log-in. They want to


log
into their terminals in the morning. Then, when it comes time to


use
the intranet, they want it to recognize that they've already
logged
in,
ascertain which group they belong to, and return only the


appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understandin g of it, that any LDAP bind requires already knowing


the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user?
If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or


point
me in the right direction?

Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've


just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not
having
a
redundant login. It "may" be possible using IIS and I.E. but I


wouldn't
know, I wont support them ;-) As far as I know, when you first
fire
up
the browser and point it at your web server the web server has no
way
of
knowing who that user is. So they will need to re-authenticate
(after
which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at


all.
You should always re-authenticate across applications. What's to
stop
a
user logging on to their terminal then walking away, allowing
anyone
to
access anything under their account?

Hope that helps?

Sacs



Jul 17 '05 #5
dm*******@yahoo .com wrote:

Hi folks,

I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.

I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.

On site users log-in to their terminals via the LDAP server. Remote users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.

I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan


Dan,

It's not just LDAP - it's basic authentication with any web app.

When the user tries to access a restricted page, the web server (Apache
or IIS) sends an authentication header to the browser (the communication
is stateless - so the server doesn't know who's trying to access it).

The browser responds with the appropriate userid and password. But
there's one problem - the browser was just started, so it doesn't know
what the userid and password are. This was handled by another
application (the LDAP server login).

So, the browser (IE, NS, FF, whatever) has to ask the user for the
userid and password. The user types them in; from then on any request
from this site will get the userid and password just entered. But there
is no way to get this info from the LDAP signon app.

About the only way you could do this is to have access to the web server
itself protected by LDAP - i.e. behind a firewall controlled by LDAP or
something similar. This is beyond my knowledge of LDAP.

But it can't be done with the web server and browser.

--

To reply, delete the 'x' from my email
Jerry Stuckle,
JDS Computer Training Corp.
js*******@attgl obal.net
Member of Independent Computer Consultants Association - www.icca.org
Jul 17 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
2662
by: Durairaj Avasi | last post by:
Here is my prg:::: use Net::LDAP qw(LDAP_SUCCESS LDAP_PROTOCOL_ERROR); use Authen::SASL; use Net::LDAP::Util qw(ldap_error_name ldap_error_text); sub lConnect { my $server = shift; print " the server name is $server\n"; my $ldap = Net::LDAP->new($server, port=> 389, version => 3);
0
1158
by: minux | last post by:
Hey All! I have a problem with authentication against Active Directory! The following code worked fine when running against AD on Win2k, but the AD-system had to be switched to 2003 servers recently, and now it does not work anymore! According to our system-guys the problem is that the ldap-connection to AD on 2003 server now needs...
0
1802
by: Ronald Wunderlich | last post by:
Hi, My first Question: can db2 (db2ckpw) ask over pam_ldap my edirectory ldap server for user authentication? The scenario: 1. computer suse linx enterprise server 8(SLES8) and edirectory 7.8.3 2. computer sles8 db2 with pam_ldap ( the user authentication on kde, on ssh, radius with ladp ... works fine. I see all user with getent...
0
1638
by: DavidR | last post by:
I have some Java code that I need to mimic to have my ASP/C# web application (C# being the middle-tier) authenticate to a mainframe (running AIX) using LDAP. The Java code looks something like this: private UserLogonInfo authenticate( String ldapUrl, String userId, String password) throws LogonException {
0
2168
by: Clark Laughlin | last post by:
I am trying to establish an SSL connection to our company's LDAP server from an ASP.NET application running on Windows 2003 Server and I am getting the following set of event log errors: Event Type: Error Event Source: Schannel Event Category: None Event ID: 36870 Date: 10/21/2004 Time: 8:36:21 AM
1
1340
by: rajens00 | last post by:
LDAP authentication fails with the final release version of ASP.Net 2.0 (and Beta 2 also). I suspect it's a legit bug. Any ideas how to report it?? The following code works fine with Framework 1.1 yet fails with 2.0: string strPath = "LDAP://ldap-3.directory.enterprise.mydomain.gov/"; string strDir = "ou=People,ou=My Agency,ou=My...
6
2994
by: Notgiven | last post by:
I am considering a large project and they currently use LDAP on MS platform. It would be moved to a LAMP platform. OpenLDAP is an option though I have not used it before. I do feel fairly confortable with my ability to use SESSIONS for authentication and access control. Would it better to learn and use LDAP or can you REALLY have just as...
5
1969
by: Jed Parsons | last post by:
Hi, authenticates a user against our ldap server.: User types in name and password, and module sees if name and password check out right with the ldap server. I see that it's pretty straightforward to do this with: import ldap l = ldap.open('our.ldap.server')
3
18695
by: martybruce | last post by:
I have some VB.net code. Basically when the user logs into the app. It checks to see if the user's AD account password has expired. If so, It will prompt the user to change it. mydn = GetDN(txtUsername.Text) Dim adsPath As String = "LDAP://" & mydn objUser = New DirectoryEntry(adsPath, txtUsername.Text,
1
2530
by: Gladiator | last post by:
Hi , I have a solaris box on which the LDAP authentication is configured. I have installed DB2 on it . I have granted connect privilage to a LDAP user. When i try to connect to the database using that LDAP user it says User ID not valid. Do we need to configure DB2 to use LDAP authentication ? Any suggestions ?
0
7724
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main...
0
7944
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8149
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7699
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8000
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
3681
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
1
2131
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1238
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
971
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.