By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,829 Members | 1,828 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,829 IT Pros & Developers. It's quick & easy.

open ldap authentication without redundant log-in

P: n/a
Hi folks,

I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.

I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.

On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.

I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan

Jul 17 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
dm*******@yahoo.com wrote:
Hi folks,
<snip> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan

Ldap authentication isn't too hard to get working with Apache (I've just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having a
redundant login. It "may" be possible using IIS and I.E. but I wouldn't
know, I wont support them ;-) As far as I know, when you first fire up
the browser and point it at your web server the web server has no way of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at all.
You should always re-authenticate across applications. What's to stop a
user logging on to their terminal then walking away, allowing anyone to
access anything under their account?

Hope that helps?

Sacs
Jul 17 '05 #2

P: n/a
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

They're very anti-Micro$oft, so If I can find some reputable sources
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."

Thanks again,
-Dan
Sacs wrote:
dm*******@yahoo.com wrote:
Hi folks,
<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of LDAP users (or use the Apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log into their terminals in the morning. Then, when it comes time to use the intranet, they want it to recognize that they've already logged in, ascertain which group they belong to, and return only the appropriate content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so, how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point me in the right direction?

Thanks,
-Dan

Ldap authentication isn't too hard to get working with Apache (I've

just done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having a redundant login. It "may" be possible using IIS and I.E. but I wouldn't know, I wont support them ;-) As far as I know, when you first fire up the browser and point it at your web server the web server has no way of knowing who that user is. So they will need to re-authenticate (after which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at all. You should always re-authenticate across applications. What's to stop a user logging on to their terminal then walking away, allowing anyone to access anything under their account?

Hope that helps?

Sacs


Jul 17 '05 #3

P: n/a
dm*******@yahoo.com wrote:
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...

http://www.securitydocs.com/library/2998
"...dishonest and disgruntled employees top the list at about 80% as the
most likely source of attack"

http://securitysa.com/article.asp?pk...CategoryID=106

"Most security breaches do not originate from external hackers, viruses
or worms, but from employees who, according to Gartner, commit more than
70% of unauthorised access to information systems. They are responsible
for more than 95% of intrusions"

They're very anti-Micro$oft, so If I can find some reputable sources ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."

That'd be the bidder suggesting an ActiveX control probably, no security
problems there. *cough*

Thanks again,
-Dan
Good luck, Dan!

Sacs


Sacs wrote:
dm*******@yahoo.com wrote:
Hi folks,


<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set
of
LDAP users (or use the Apache mod_ldap_auth to require a valid
user).
However, the client doesn't want a redundant log-in. They want to
log
into their terminals in the morning. Then, when it comes time to
use
the intranet, they want it to recognize that they've already logged
in,
ascertain which group they belong to, and return only the
appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing
the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or
point
me in the right direction?

Thanks,
-Dan


Ldap authentication isn't too hard to get working with Apache (I've


just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not having


a
redundant login. It "may" be possible using IIS and I.E. but I


wouldn't
know, I wont support them ;-) As far as I know, when you first fire


up
the browser and point it at your web server the web server has no way


of
knowing who that user is. So they will need to re-authenticate (after


which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at


all.
You should always re-authenticate across applications. What's to stop


a
user logging on to their terminal then walking away, allowing anyone


to
access anything under their account?

Hope that helps?

Sacs


Jul 17 '05 #4

P: n/a
Good stuff, Sacs.

Thanks a bunch,
-Dan

Sacs wrote:
dm*******@yahoo.com wrote:
Thanks for confirming my suspicions, Sacs.

At the onset, I advised against carrying the log-in across apps. They either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.

It's not just their employess, it's the cleaner, someone at reception

while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...

http://www.securitydocs.com/library/2998
"...dishonest and disgruntled employees top the list at about 80% as the most likely source of attack"

http://securitysa.com/article.asp?pk...CategoryID=106
"Most security breaches do not originate from external hackers, viruses or worms, but from employees who, according to Gartner, commit more than 70% of unauthorised access to information systems. They are responsible for more than 95% of intrusions"

They're very anti-Micro$oft, so If I can find some reputable sources
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all
know it is, I can sway them.

Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."


That'd be the bidder suggesting an ActiveX control probably, no

security problems there. *cough*

Thanks again,
-Dan


Good luck, Dan!

Sacs


Sacs wrote:
dm*******@yahoo.com wrote:

Hi folks,
<snip>

I'm new to LDAP. Based on what I've read so far, I'm 100% certain Icould build an authentication mechanism that uses an existing set


of
LDAP users (or use the Apache mod_ldap_auth to require a valid


user).
However, the client doesn't want a redundant log-in. They want to


log
into their terminals in the morning. Then, when it comes time to


use
the intranet, they want it to recognize that they've already
logged
in,
ascertain which group they belong to, and return only the


appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing


the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user?
If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or


point
me in the right direction?

Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've


just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.

The trouble you will have, I think, is the requirement for not
having
a
redundant login. It "may" be possible using IIS and I.E. but I


wouldn't
know, I wont support them ;-) As far as I know, when you first
fire
up
the browser and point it at your web server the web server has no
way
of
knowing who that user is. So they will need to re-authenticate
(after
which the will be known under REMOTE_USER).

Personally I dont think what they are asking for is a good idea at


all.
You should always re-authenticate across applications. What's to
stop
a
user logging on to their terminal then walking away, allowing
anyone
to
access anything under their account?

Hope that helps?

Sacs



Jul 17 '05 #5

P: n/a
dm*******@yahoo.com wrote:

Hi folks,

I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.

I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.

On site users log-in to their terminals via the LDAP server. Remote users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.

I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).

However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.

I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.

The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?

My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?

Thanks,
-Dan


Dan,

It's not just LDAP - it's basic authentication with any web app.

When the user tries to access a restricted page, the web server (Apache
or IIS) sends an authentication header to the browser (the communication
is stateless - so the server doesn't know who's trying to access it).

The browser responds with the appropriate userid and password. But
there's one problem - the browser was just started, so it doesn't know
what the userid and password are. This was handled by another
application (the LDAP server login).

So, the browser (IE, NS, FF, whatever) has to ask the user for the
userid and password. The user types them in; from then on any request
from this site will get the userid and password just entered. But there
is no way to get this info from the LDAP signon app.

About the only way you could do this is to have access to the web server
itself protected by LDAP - i.e. behind a firewall controlled by LDAP or
something similar. This is beyond my knowledge of LDAP.

But it can't be done with the web server and browser.

--

To reply, delete the 'x' from my email
Jerry Stuckle,
JDS Computer Training Corp.
js*******@attglobal.net
Member of Independent Computer Consultants Association - www.icca.org
Jul 17 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.