Hi folks,
I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.
I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.
On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?
Thanks,
-Dan
5  2844  dm*******@yahoo.com wrote: Hi folks,
<snip> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?
Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.
The trouble you will have, I think, is the requirement for not having a
redundant login. It "may" be possible using IIS and I.E. but I wouldn't
know, I wont support them ;-) As far as I know, when you first fire up
the browser and point it at your web server the web server has no way of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).
Personally I dont think what they are asking for is a good idea at all.
You should always re-authenticate across applications. What's to stop a
user logging on to their terminal then walking away, allowing anyone to
access anything under their account?
Hope that helps?
Sacs
Thanks for confirming my suspicions, Sacs.
At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.
They're very anti-Micro$oft, so If I can find some reputable sources
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.
Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."
Thanks again,
-Dan
Sacs wrote: dm*******@yahoo.com wrote: Hi folks,
<snip> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set
of LDAP users (or use the Apache mod_ldap_auth to require a valid
user).
However, the client doesn't want a redundant log-in. They want to
log into their terminals in the morning. Then, when it comes time to
use the intranet, they want it to recognize that they've already logged
in, ascertain which group they belong to, and return only the
appropriate content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing
the dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If
so, how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or
point me in the right direction?
Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've
just done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.
The trouble you will have, I think, is the requirement for not having
a redundant login. It "may" be possible using IIS and I.E. but I
wouldn't know, I wont support them ;-) As far as I know, when you first fire
up the browser and point it at your web server the web server has no way
of knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).
Personally I dont think what they are asking for is a good idea at
all. You should always re-authenticate across applications. What's to stop
a user logging on to their terminal then walking away, allowing anyone
to access anything under their account?
Hope that helps?
Sacs dm*******@yahoo.com wrote: Thanks for confirming my suspicions, Sacs.
At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.
It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...
http://www.securitydocs.com/library/2998
"...dishonest and disgruntled employees top the list at about 80% as the
most likely source of attack"
http://securitysa.com/article.asp?pk...CategoryID=106
"Most security breaches do not originate from external hackers, viruses
or worms, but from employees who, according to Gartner, commit more than
70% of unauthorised access to information systems. They are responsible
for more than 95% of intrusions"
They're very anti-Micro$oft, so If I can find some reputable sources
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.
Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."
That'd be the bidder suggesting an ActiveX control probably, no security
problems there. *cough*
Thanks again,
-Dan
Good luck, Dan!
Sacs
Sacs wrote:
dm*******@yahoo.com wrote:
Hi folks,
<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set
of
LDAP users (or use the Apache mod_ldap_auth to require a valid
user).
However, the client doesn't want a redundant log-in. They want to
log
into their terminals in the morning. Then, when it comes time to
use
the intranet, they want it to recognize that they've already logged
in,
ascertain which group they belong to, and return only the
appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing
the
dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or
point
me in the right direction?
Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've
just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.
The trouble you will have, I think, is the requirement for not having
a
redundant login. It "may" be possible using IIS and I.E. but I
wouldn't
know, I wont support them ;-) As far as I know, when you first fire
up
the browser and point it at your web server the web server has no way
of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).
Personally I dont think what they are asking for is a good idea at
all.
You should always re-authenticate across applications. What's to stop
a
user logging on to their terminal then walking away, allowing anyone
to
access anything under their account?
Hope that helps?
Sacs
Good stuff, Sacs.
Thanks a bunch,
-Dan
Sacs wrote: dm*******@yahoo.com wrote: Thanks for confirming my suspicions, Sacs.
At the onset, I advised against carrying the log-in across apps.
They either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.
It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...
http://www.securitydocs.com/library/2998
"...dishonest and disgruntled employees top the list at about 80% as
the most likely source of attack"
http://securitysa.com/article.asp?pk...CategoryID=106
"Most security breaches do not originate from external hackers,
viruses or worms, but from employees who, according to Gartner, commit more
than 70% of unauthorised access to information systems. They are
responsible for more than 95% of intrusions"
They're very anti-Micro$oft, so If I can find some reputable
sources ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At least THAT's a good start ;-)
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all
know it is, I can sway them.
Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."
That'd be the bidder suggesting an ActiveX control probably, no
security problems there. *cough*
Thanks again,
-Dan
Good luck, Dan!
Sacs
Sacs wrote:
dm*******@yahoo.com wrote:
Hi folks,
<snip>
I'm new to LDAP. Based on what I've read so far, I'm 100% certain
Icould build an authentication mechanism that uses an existing set
of
LDAP users (or use the Apache mod_ldap_auth to require a valid
user).
However, the client doesn't want a redundant log-in. They want to
log
into their terminals in the morning. Then, when it comes time to
use
the intranet, they want it to recognize that they've already
logged
in,
ascertain which group they belong to, and return only the
appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing
the
dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user?
If
so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or
point
me in the right direction?
Thanks,
-Dan
Ldap authentication isn't too hard to get working with Apache (I've
just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.
The trouble you will have, I think, is the requirement for not
having
a
redundant login. It "may" be possible using IIS and I.E. but I
wouldn't
know, I wont support them ;-) As far as I know, when you first
fire
up
the browser and point it at your web server the web server has no
way
of
knowing who that user is. So they will need to re-authenticate
(after
which the will be known under REMOTE_USER).
Personally I dont think what they are asking for is a good idea at
all.
You should always re-authenticate across applications. What's to
stop
a
user logging on to their terminal then walking away, allowing
anyone
to
access anything under their account?
Hope that helps?
Sacs
dm*******@yahoo.com wrote:
Hi folks,
I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.
I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.
On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the Apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.
The Apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?
Thanks,
-Dan
Dan,
It's not just LDAP - it's basic authentication with any web app.
When the user tries to access a restricted page, the web server (Apache
or IIS) sends an authentication header to the browser (the communication
is stateless - so the server doesn't know who's trying to access it).
The browser responds with the appropriate userid and password. But
there's one problem - the browser was just started, so it doesn't know
what the userid and password are. This was handled by another
application (the LDAP server login).
So, the browser (IE, NS, FF, whatever) has to ask the user for the
userid and password. The user types them in; from then on any request
from this site will get the userid and password just entered. But there
is no way to get this info from the LDAP signon app.
About the only way you could do this is to have access to the web server
itself protected by LDAP - i.e. behind a firewall controlled by LDAP or
something similar. This is beyond my knowledge of LDAP.
But it can't be done with the web server and browser.
--
To reply, delete the 'x' from my email
Jerry Stuckle,
JDS Computer Training Corp. js*******@attglobal.net
Member of Independent Computer Consultants Association - www.icca.org This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Durairaj Avasi |
last post by:
Here is my prg::::
use Net::LDAP qw(LDAP_SUCCESS LDAP_PROTOCOL_ERROR);
use Authen::SASL;
use Net::LDAP::Util qw(ldap_error_name ldap_error_text);
sub lConnect {
my $server = shift;
print "...
|
by: minux |
last post by:
Hey All!
I have a problem with authentication against Active Directory!
The following code worked fine when running against AD on Win2k,
but the AD-system had to be switched to 2003 servers...
|
by: Ronald Wunderlich |
last post by:
Hi,
My first Question: can db2 (db2ckpw) ask over pam_ldap my edirectory
ldap server for user authentication?
The scenario: 1. computer suse linx enterprise server 8(SLES8) and
edirectory...
|
by: DavidR |
last post by:
I have some Java code that I need to mimic to have my ASP/C# web application
(C# being the middle-tier) authenticate to a mainframe (running AIX) using
LDAP. The Java code looks something like...
|
by: Clark Laughlin |
last post by:
I am trying to establish an SSL connection to our company's LDAP server from
an ASP.NET application running on Windows 2003 Server and I am getting the
following set of event log errors:
Event...
|
by: rajens00 |
last post by:
LDAP authentication fails with the final release version of ASP.Net 2.0 (and
Beta 2 also).
I suspect it's a legit bug. Any ideas how to report it??
The following code works fine with Framework...
|
by: Notgiven |
last post by:
I am considering a large project and they currently use LDAP on MS platform.
It would be moved to a LAMP platform. OpenLDAP is an option though I have
not used it before. I do feel fairly...
|
by: Jed Parsons |
last post by:
Hi,
authenticates a user against our ldap server.: User types in name and
password, and module sees if name and password check out right with the
ldap server.
I see that it's pretty...
|
by: martybruce |
last post by:
I have some VB.net code.
Basically when the user logs into the app. It checks to see if the
user's AD account password has expired. If so, It will prompt the
user to change it.
mydn =...
|
by: Gladiator |
last post by:
Hi ,
I have a solaris box on which the LDAP authentication is configured. I
have installed DB2 on it . I have granted connect privilage to a LDAP
user. When i try to connect to the database...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
