Sorry to wade in at such a late stage, but ...

NDS can be extended using various API's and also using the NDS ODBC
driver. We here at health are running Novell 5.x with no extensions at all
(such as eDirectory or WebAccess). We use a C++ cfx custom tag called
cfx_nwpasscheck, to authenticate users via there novell login. The only
thing required is for the application server to be logged into novell. Our
cf server logs in to enable the arcserve client to access the arcserve
server for backup purposes.

The code used to authenticate is quite simple -:

<cfx_nwpasscheck nwuserid="#id#" nwpassword="#password#">

The #id# variable is the full NDS name (username + context). 

Just a note on using nbstat in a novell environment for automatic
authentication without needing to log in. To map a novell user to a
certain IP address can be quite difficult. NDS records the login details
for each user and there assigned network address in NDS - OK. The problem
is that, the network address recorded can be either an IP address or an
IPX address (based on PC protocol priorities). If IP it is a simple matter
of matching IP to #CGI.REMOTE_ADDR# but if it is an IPX address then it
makes it a little harder. An IPX address is made up of several things one
of them being the MAC address of the PC's NIC. You can use something like
nbstat to return the users MAC address but it is flakey. Once you have the
users MAC address then it is a simple matter to query NDS and pull the
username. The biggest problem with nbstat is that it is quite difficult to
resolve across routers. If your users access your intranet via a WAN (ie
they use a router to get to your web server) you can forget about using
nbstat. Also if your users access your web server using an internal proxy
server from within a WAN you can forget about using an IP address as
#CGI.REMOTE_ADDR# will return the proxy server address not their PC IP
address.

If the automatic authentication fails I fall back on a simple login
interface. I wrote a simple form that has the same look and feel as the
novell client login. The context is dynamically created in a popup window
using the NDS ODBC driver and querying the NDS db to create the NDS tree
in a cftree. Which the user simply clicks on after finding their correct
context. They then enter their username and password and authentication
occurs.

For our intranet (100,000+ users) there would be about 5% that can
authenticate automatically (mostly those at our Nth Sydney Office). But
those 5% happen to include my boss and the executive so it can be a
worthwhile exercise.

There is a new product for NDS called exteNd Director which is written in
Java with a nice API for the CFMX users out there (or cfx java tags pre
MX). If installed with eDirectory then security integration with NDS
becomes even easier.

my 2 cents,

hth
Rod

> No have not done that.
> 
> :0
> s
>   -----Original Message-----
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of George Lu
>   Sent: Monday, 17 March 2003 15:19
>   To: CFAussie Mailing List
>   Subject: [cfaussie] Re: Intranet Authentication Via Username
> 
> 
>   Thanks Simon. We've implemented a system on the Intranet but users
> have to login again to retrieve their info in the eDirectory. Have you
> implement that having authenticating automatically once users sign on
> Novell (i.e. sigle sign on)?
> 
>   George
> 
>   >>> [EMAIL PROTECTED] 17/03/03 13:00:42 >>>
>   I'm currently working on an authentication system against
>   NDS/eDirectory via LDAP.
> 
>   Early days yet, am working off a dev directory (8.6) with CFMX, on
>   separate Win2K servers.
> 
>   Have got fake users authenticating successfully against NDS accounts
>   via CFLDAP, but not using cflogin.
> 
>   Have not yet been able to get eDirectory's trusted root cert
> accepted
>   by CF so am not yet using encryption either.
> 
>   Sorry, George: short answer is "yes."
> 
>   :)
>   s
>   ____________________________________
>   Simon Handfield
>   Senior Web Application Developer
>   State Library of New South Wales
>   email:  [EMAIL PROTECTED]
>   phone:  +612 9273 1710
>   fax:    +612 9273 1268
>   cell:   +61 0402 146 513
>   web:    http://www.sl.nsw.gov.au/
> 
>   ====================================
>   This email and any attachments to it are privileged and
> confidential.
>   If you are not the intended recipient, please notify the sender and
>   delete it. The contents of this email are not given or endorsed by
> the
>   State Library of New South Wales unless otherwise indicated by an
>   authorised officer of the Library. Copyright law may also apply to
>   this contents of this email.
--

---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]

MX Downunder AsiaPac DevCon - http://mxdu.com/

Reply via email to