Home > Archive > PHP Programming > February 2005 > open ldap authentication without redundant log-in
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
open ldap authentication without redundant log-in
|
|
| dmcconkey@yahoo.com 2005-02-24, 8:56 pm |
| Hi folks,
I've been searching for a while and haven't found my specific question
anywhere else. If this has already been asked, please accept my
appologies and point me to the appropriate thread.
I'm bidding on a PHP intranet development contract. One of the specific
requirements is that the app interface with the company's existing Open
LDAP server for user authentication.
On site users log-in to their terminals via the LDAP server. Remote
users VPN via the LDAP server. Either way, the company uses one LDAP
server to control all IT access points, not just their intranet.
I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
could build an authentication mechanism that uses an existing set of
LDAP users (or use the apache mod_ldap_auth to require a valid user).
However, the client doesn't want a redundant log-in. They want to log
into their terminals in the morning. Then, when it comes time to use
the intranet, they want it to recognize that they've already logged in,
ascertain which group they belong to, and return only the appropriate
content.
I'm not sure I can do this. It would seem, based on my fractured
understanding of it, that any LDAP bind requires already knowing the
dn.
The apache mod_ldap_auth seems promising, but will it see that the
person is logged into the system and count that as a valid user? If so,
how can I tell which group the valid user belongs to for variable
content/functionality?
My previous authentication has always been with MySQL and session
variables so I'm clueless. Can someone please shed some light or point
me in the right direction?
Thanks,
-Dan
| |
|
| dmcconkey@yahoo.com wrote:
> Hi folks,
>
<snip>
> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
> could build an authentication mechanism that uses an existing set of
> LDAP users (or use the apache mod_ldap_auth to require a valid user).
>
> However, the client doesn't want a redundant log-in. They want to log
> into their terminals in the morning. Then, when it comes time to use
> the intranet, they want it to recognize that they've already logged in,
> ascertain which group they belong to, and return only the appropriate
> content.
>
> I'm not sure I can do this. It would seem, based on my fractured
> understanding of it, that any LDAP bind requires already knowing the
> dn.
>
> The apache mod_ldap_auth seems promising, but will it see that the
> person is logged into the system and count that as a valid user? If so,
> how can I tell which group the valid user belongs to for variable
> content/functionality?
>
> My previous authentication has always been with MySQL and session
> variables so I'm clueless. Can someone please shed some light or point
> me in the right direction?
>
> Thanks,
> -Dan
>
Ldap authentication isn't too hard to get working with apache (I've just
done that this morning in fact, Linux/Apache authenticating against
Active Directory no less!) Not too hard within PHP too.
The trouble you will have, I think, is the requirement for not having a
redundant login. It "may" be possible using IIS and I.E. but I wouldn't
know, I wont support them ;-) As far as I know, when you first fire up
the browser and point it at your web server the web server has no way of
knowing who that user is. So they will need to re-authenticate (after
which the will be known under REMOTE_USER).
Personally I dont think what they are asking for is a good idea at all.
You should always re-authenticate across applications. What's to stop a
user logging on to their terminal then walking away, allowing anyone to
access anything under their account?
Hope that helps?
Sacs
| |
| dmcconkey@yahoo.com 2005-02-25, 3:56 am |
| Thanks for confirming my suspicions, Sacs.
At the onset, I advised against carrying the log-in across apps. They
either don't believe any of _their_ employees are immoral enough to
attempt hijacking another's log-in, or they're just lazy enough to
disregard the risk.
They're very anti-Micro$oft, so If I can find some reputable sources
showing either that this can't be done with a Linux Apache, as I
believe you suggest, or that it's excessively stupid, as we all know it
is, I can sway them.
Anyone know any great articles out there that might help my case? I
need some ammunition against another bidding developer saying "oh,
yeah, I can do it and it's no security issue at all."
Thanks again,
-Dan
Sacs wrote:
> dmcconkey@yahoo.com wrote:
> <snip>
of[color=darkred]
user).[color=darkred]
log[color=darkred]
use[color=darkred]
in,[color=darkred]
appropriate[color=darkred]
the[color=darkred]
so,[color=darkred]
point[color=darkred]
> Ldap authentication isn't too hard to get working with apache (I've
just
> done that this morning in fact, Linux/Apache authenticating against
> Active Directory no less!) Not too hard within PHP too.
>
> The trouble you will have, I think, is the requirement for not having
a
> redundant login. It "may" be possible using IIS and I.E. but I
wouldn't
> know, I wont support them ;-) As far as I know, when you first fire
up
> the browser and point it at your web server the web server has no way
of
> knowing who that user is. So they will need to re-authenticate (after
> which the will be known under REMOTE_USER).
>
> Personally I dont think what they are asking for is a good idea at
all.
> You should always re-authenticate across applications. What's to stop
a
> user logging on to their terminal then walking away, allowing anyone
to
> access anything under their account?
>
> Hope that helps?
>
> Sacs
| |
|
| dmcconkey@yahoo.com wrote:
> Thanks for confirming my suspicions, Sacs.
>
> At the onset, I advised against carrying the log-in across apps. They
> either don't believe any of _their_ employees are immoral enough to
> attempt hijacking another's log-in, or they're just lazy enough to
> disregard the risk.
>
It's not just their employess, it's the cleaner, someone at reception
while the receptionist is getting the CEO more coffee, the mailroom
clerks kid...
http://www.securitydocs.com/library/2998
"...dishonest and disgruntled employees top the list at about 80% as the
most likely source of attack"
http://securitysa.com/article.asp?p...lCategoryID=106
"Most security breaches do not originate from external hackers, viruses
or worms, but from employees who, according to Gartner, commit more than
70% of unauthorised access to information systems. They are responsible
for more than 95% of intrusions"
> They're very anti-Micro$oft, so If I can find some reputable sources
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At least THAT's a good start ;-)
> showing either that this can't be done with a Linux Apache, as I
> believe you suggest, or that it's excessively stupid, as we all know it
> is, I can sway them.
>
> Anyone know any great articles out there that might help my case? I
> need some ammunition against another bidding developer saying "oh,
> yeah, I can do it and it's no security issue at all."
>
That'd be the bidder suggesting an ActiveX control probably, no security
problems there. *cough*
> Thanks again,
> -Dan
Good luck, Dan!
Sacs
>
>
> Sacs wrote:
>
>
> of
>
>
> user).
>
>
> log
>
>
> use
>
>
> in,
>
>
> appropriate
>
>
> the
>
>
> so,
>
>
> point
>
>
> just
>
>
> a
>
>
> wouldn't
>
>
> up
>
>
> of
>
>
>
>
> all.
>
>
> a
>
>
> to
>
>
>
| |
| dmcconkey@yahoo.com 2005-02-25, 3:57 pm |
| Good stuff, Sacs.
Thanks a bunch,
-Dan
Sacs wrote:
> dmcconkey@yahoo.com wrote:
They[color=darkred]
>
> It's not just their employess, it's the cleaner, someone at reception
> while the receptionist is getting the CEO more coffee, the mailroom
> clerks kid...
>
> http://www.securitydocs.com/library/2998
> "...dishonest and disgruntled employees top the list at about 80% as
the
> most likely source of attack"
>
>
http://securitysa.com/article.asp?p...lCategoryID=106
>
> "Most security breaches do not originate from external hackers,
viruses
> or worms, but from employees who, according to Gartner, commit more
than
> 70% of unauthorised access to information systems. They are
responsible
> for more than 95% of intrusions"
>
>
sources[color=darkred]
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> At least THAT's a good start ;-)
>
know it[color=darkred]
>
> That'd be the bidder suggesting an ActiveX control probably, no
security[color=darkred]
> problems there. *cough*
>
>
>
> Good luck, Dan!
>
> Sacs
>
I[color=darkred]
logged[color=darkred]
If[color=darkred]
having[color=darkred]
fire[color=darkred]
way[color=darkred]
(after[color=darkred]
stop[color=darkred]
anyone[color=darkred]
| |
| Jerry Stuckle 2005-02-28, 8:56 pm |
| dmcconkey@yahoo.com wrote:
>
> Hi folks,
>
> I've been searching for a while and haven't found my specific question
> anywhere else. If this has already been asked, please accept my
> appologies and point me to the appropriate thread.
>
> I'm bidding on a PHP intranet development contract. One of the specific
> requirements is that the app interface with the company's existing Open
> LDAP server for user authentication.
>
> On site users log-in to their terminals via the LDAP server. Remote
> users VPN via the LDAP server. Either way, the company uses one LDAP
> server to control all IT access points, not just their intranet.
>
> I'm new to LDAP. Based on what I've read so far, I'm 100% certain I
> could build an authentication mechanism that uses an existing set of
> LDAP users (or use the apache mod_ldap_auth to require a valid user).
>
> However, the client doesn't want a redundant log-in. They want to log
> into their terminals in the morning. Then, when it comes time to use
> the intranet, they want it to recognize that they've already logged in,
> ascertain which group they belong to, and return only the appropriate
> content.
>
> I'm not sure I can do this. It would seem, based on my fractured
> understanding of it, that any LDAP bind requires already knowing the
> dn.
>
> The apache mod_ldap_auth seems promising, but will it see that the
> person is logged into the system and count that as a valid user? If so,
> how can I tell which group the valid user belongs to for variable
> content/functionality?
>
> My previous authentication has always been with MySQL and session
> variables so I'm clueless. Can someone please shed some light or point
> me in the right direction?
>
> Thanks,
> -Dan
Dan,
It's not just LDAP - it's basic authentication with any web app.
When the user tries to access a restricted page, the web server (Apache
or IIS) sends an authentication header to the browser (the communication
is stateless - so the server doesn't know who's trying to access it).
The browser responds with the appropriate userid and password. But
there's one problem - the browser was just started, so it doesn't know
what the userid and password are. This was handled by another
application (the LDAP server login).
So, the browser (IE, NS, FF, whatever) has to ask the user for the
userid and password. The user types them in; from then on any request
from this site will get the userid and password just entered. But there
is no way to get this info from the LDAP signon app.
About the only way you could do this is to have access to the web server
itself protected by LDAP - i.e. behind a firewall controlled by LDAP or
something similar. This is beyond my knowledge of LDAP.
But it can't be done with the web server and browser.
--
To reply, delete the 'x' from my email
Jerry Stuckle,
JDS Computer Training Corp.
jstucklex@attglobal.net
Member of Independent Computer Consultants Association - www.icca.org
|
|
|
|
|