Thanks for the input Justin. I've just come up with an alternative solution involving querying the ip/username details directly from the vpn authentication server and determining the user from there. The AuthMPTO in the article sounds interesting but I'm loathe to deploying a linux server farm and then have to use NT for authentication.
Cheers, Dave -----Original Message----- From: Justin MacCarthy [mailto:[EMAIL PROTECTED]] Sent: 16 December 2002 14:02 To: CF-Linux Subject: RE: What are the alternatives to NT authentication? Hi Dave, Maybe one of the apache modules can auth against a NT domain? It is apache you are using right? ..ah ... a quick google http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=apache+security+nt+do main+module got me this .... http://www.usenix.org/publications/login/1998-5/meek.html Might be what you are looking for. Justin > -----Original Message----- > From: Dave Wilson [mailto:[EMAIL PROTECTED]] > Sent: 16 December 2002 13:27 > To: CF-Linux > Subject: RE: What are the alternatives to NT authentication? > > > Cheers Justin, > > Plenty of pointers there to have kept me going over the weekend. I still > haven't come up with anything although I'm leaning towards using kerberos > for the cross platform support. I'm still stuck with the problem of > furnishing the cgi.remote_user variable. From my understanding of > what I've > read to date, cgi.remote_user is only available if a cgi login script is > used, which I believe will prompt the user to log in - this is precisely > what I'm trying to avoid as the user is already being authenticated by way > of the vpn login. I'm merely looking to use cgi.remote_user as an > extension > to my user identifier and thus trigger application level rules > and policies. > In windows this is all very transparent where basically IIS detects the > users network login and provides the cgi.remote_user variable without need > for further login at the web site. > > I may need to revert to an older tried and tested login script with > "remember me" functionality that I've used in the past, which merely uses > cfid,cftoken value pairs - not the most reliable identifiers I know. > > Dave > > -----Original Message----- > >From: Justin MacCarthy [mailto:[EMAIL PROTECTED]] > Sent: 13 December 2002 12:13 > To: CF-Linux > Subject: RE: What are the alternatives to NT authentication? > > > Hi Dave, > > First look at using JAAS (at java.sun.com). This will give > you a common API > that can use practically any authentication source. > > You can set up linux to use a few different authentication methods using > PAM - "pluggable Authentication Module". This feature is usually installed > in the normal server installation, but set to use the usual passwd file > (shadowed etc.) by default. > > Windows & linux (and I believe apache - anyone done it?) support > authentication via Kerberos which is basically LDAP. Windows calls it > ActiveDirectory. One issue here, I believe you can't do SSL LDAP > queries on > Linux/mx at the moment (Jesse ? ) > > As for web site authentication, in apache you can use the > .htaccess file to > auth. users ... > > > Justin - no Linux expert :-) > > > > > -----Original Message----- > > From: Dave Wilson [mailto:[EMAIL PROTECTED]] > > Sent: 13 December 2002 09:54 > > To: CF-Linux > > Subject: What are the alternatives to NT authentication? > > > > > > Hi all, > > > > My applications are designed to make use of the windows network > > login id via > > cgi.remote_user on a windows VPN. I was wondering if anybody knew > > how I'd go > > about porting this feature over to a linux platform? What authentication > > options are available to me? > > > > The VPN infrastructure is still in the planning stages so I > will have the > > option at looking into other authentication server platforms. The actual > > authentication merely authenticates the user to the VPN network > > (preferrably > > using their existing network login credentials) from a variety of remote > > branch networks (presumably Windows networks, mostly) to allow the user > > access to our suite of tools. The rules and policies are > handled by the cf > > application itself, which merely requires the cgi.remote_user > variable for > > db lookup purposes. I'm wondering if Kerberos may be the way to > go as (to > > the best of my knowledge) it is supported by both windows and linux > > platforms, or perhaps I can stick with using NT authentication > for the VPN > > and have the NT account details available to my linux boxes? > > > > Any thoughts much appreciated, > > Dave > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=14 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=14 Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.14
