I'm currently working on an authentication system against NDS/eDirectory via LDAP.
Early days yet, am working off a dev directory (8.6) with CFMX, on separate Win2K servers. Have got fake users authenticating successfully against NDS accounts via CFLDAP, but not using cflogin. Have not yet been able to get eDirectory's trusted root cert accepted by CF so am not yet using encryption either. Sorry, George: short answer is "yes." :) s ____________________________________ Simon Handfield Senior Web Application Developer State Library of New South Wales email: [EMAIL PROTECTED] phone: +612 9273 1710 fax: +612 9273 1268 cell: +61 0402 146 513 web: http://www.sl.nsw.gov.au/ ==================================== This email and any attachments to it are privileged and confidential. If you are not the intended recipient, please notify the sender and delete it. The contents of this email are not given or endorsed by the State Library of New South Wales unless otherwise indicated by an authorised officer of the Library. Copyright law may also apply to this contents of this email. ==================================== -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of George Lu Sent: Monday, 17 March 2003 14:25 To: CFAussie Mailing List Subject: [cfaussie] Re: Intranet Authentication Via Username We've got standardised on IE and IIS but we use Novell eDirectory. Can we use cflogin in this environment? George Lu Web Developer/Engineer Information Services Adult Multicultural Education Services 4/255 William Street Melbourne, Vic 3000 ------------------------------------------ Direct: 03 9926 4706 Fax: 03 9926 4695 Email: [EMAIL PROTECTED] Web: www.ames.net.au ------------------------------------------ >>> [EMAIL PROTECTED] 17/03/03 12:00:20 >>> Curse the government :D *Watches a flag goes up in ASIO* 4.5 and on Netscape server! *gasp* do they know lynx is no longer a standard browser yet? just asking as since we are in the darkages and all :D Gary would prob be the man to help ya on this one, as from memory he was an ex-Premiers Dept employee/contractor *watches as he cringes* and would know the layout better then anyone but you, thus enabling a more helpful solution. Worse case scenario, you dust off your old fashion session variable security management concept, and ask them for login details upon initialization of the application.. Poor Taco, 4.5 *shakes head* Scott "Taco Fleur" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Sounds pretty good, unfortunately some people still have to work with CF 4.5. -----Original Message----- From: Scott Barnes [mailto:[EMAIL PROTECTED] Sent: Monday, 17 March 2003 10:47 AM To: CFAussie Mailing List Subject: [cfaussie] Re: Intranet Authentication Via Username Phil, Barry and I are using an Intranet environment where we only care if someones logged in via NT Authentication method. As stated earlier, if you do decide to head down the path of using just Active Directory as your application security model, then I really recommend you leverage CFLOGIN for such an excerise. Reason being, is that its so easy to lock down not only your presentation layer, but also you can lock down your CFC's without relying on your presentation layer. I say this, as alot of the examples tip you into using Session or Application variables to handle your overall security in that (ie session.isLoggedIn returns a true/false) value. This would work and in truth is fairly a simple outlet for a "Is User Logged In" handshake. But, if you store a session.variable and you publish information for remote access (ie webservices) then you rely on the fact that a user has come through normal webtraffic! But.. What if you make a standalone flash executable (just using this as an example) that due to it being clientside driven has no access to application.cfm, and instead only makes remote calls to components that are within a shared directory on a server! In order to combat this, like i said earlier, you simply define a global "role" (ie assign a role "IsLoggedIn") and then in your "presentation" layer, do a simple function: <cfscript> function isUserLoggedIn() { return isUserInRole('IsLoggedIn'); } </cfscript> You could store this in a central UDF library and just make calls to the method, if the answer is true (continue on) if its false (do login handshake methods). Then inside your CFC's, for every function that is deemed "members only" or "sensitive" assign each of these methods with a must have role "isLoggedIn" eg. <cffunction ... Roles="IsLoggedIn,Admin,etc"> This will ensure the user must be logged into the server via CFLOGIN, and has all the appropriate roles assigned to it, instead of assuming the person has gone through the standard login routines. And as stated earlier if you CFLOGOUT their butts, it wipes away their roles (but still has getAuthUser() returning a domain/useraccount string) thus if they idle out and hit a CFC it will reject them as quick as i get rejected when asking a girl out in a nightclub. Thats all i have to say, back to work and shit. Scott "Hickman, Matt" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Scotty, Taco, > > Yep you need IIS "anonymous" turned off. In my case we have NT > authentication on the directory where our files live, for our > 6 known domains who browse the site. > > If they don't match - **game show wrong answer noise** > If they match - **money shot groan** > > Then I run a "log" query at the top of my "contoller.cfm" page for every > user who browses the site. Eg: > > <cfquery name="insertLog" DATASOURCE="#Application.DSN#"> > INSERT INTO #Application.tablePrefix#TABLELOG (PAGEID, STORYID, > DATE, IPADDRESS, USERID ) > VALUES ('#URL.page_id#', #URL.story_id#, GETDATE(), > '#CGI.REMOTE_ADDR#', '#CGI.REMOTE_USER#') > </cfquery> > > Being an INTRANET I'm happy because the directory & NT Authentication is > doing the dirty work for me so all I care is who's viewing what, when etc. > > Is that what you're after?? > > > > > > > > > -----Original Message----- > From: Scott Barnes [mailto:[EMAIL PROTECTED] > Sent: Monday, 17 March 2003 10:34 AM > To: CFAussie Mailing List > Subject: [cfaussie] Re: Intranet Authentication Via Username > > > In truth, i think this relies on IIS anonymous access turned off in order to > work? I don't have IIS to double check this, but can anyone else shed some > light onto this theory of mine :D > > Scott > > > > "Taco Fleur" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > > > OK, got to work today, had a go at it with cgi.remote_user but can't > > find any docos on the correct permissions needed for it to return the > > required info. > > > > Anyone any ides on this? > > > > TIA > > Taco > > > > > Taco all you need to do is retrieve the CGI.AUTH_USER variable > > > (could be > = > > > CGI.REMOTE_USER I'll have to double check that), and in a domain = > > > environment like Active Directory it will always be populated with > > > the = user's domain user account.....e.g "domain\taco" > > > > > > > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To > unsubscribe send a blank email to [EMAIL PROTECTED] > > MX Downunder AsiaPac DevCon - http://mxdu.com/ > > > ********************************************************************** " > This correspondence is for the named person's use only. It may > contain confidential or legally privileged information or both. " > No confidentiality or privilege is waived or lost by any " > mistransmission. If you receive this correspondence in error, please > immediately delete it from your system and notify the sender. You > must not disclose, copy or rely on any part of this correspondence > if you are not the intended recipient. > > Any views expressed in this message are those of the individual sender, > except where the sender expressly, and with authority, states them to > be the views of Vodafone. > > This email has been checked for viruses. > ********************************************************************** > > > --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ ---------------------------------------------------------------------- ------ This email, together with any attachments, is intended for the named recipient(s) only and may contain privileged and confidential information. If received in error, please inform the sender as quickly as possible and delete this email and any copies from your computer system network. If not an intended recipient of this email, you must not copy, distribute or rely upon it and any form of disclosure, modification, distribution and/or publication of this email is prohibited. Unless stated otherwise, this email represents only the views of the sender and not the views of the Queensland Government. ---------------------------------------------------------------------- ------ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ Disclaimer *********************************************************** This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments you should check them for viruses or defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of Adult Multicultural Education Services (AMES). *********************************************************** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/
