Re: 4D Authentication Strategy...

2019-01-09 Thread Tim Nevels via 4D_Tech 
On Jan 9, 2019, at 11:08 AM, Tom Benedict  wrote:

> You have clearly a lot of experience with this, and I have none, so I 
> probably shouldn’t have joined the thread. However, I have a long standing 
> interest in SSO and Authentication in general. 
> 
> What I’ve found, after working many years for a large enterprise organization 
> which has very high information security standards, is that System 
> Administrators don’t like custom user access systems and Auditors like them 
> even less. What they do like are things like Active Directory and LDAP. So my 
> point is that any 4D app in an enterprise environment should use the 
> enterprise standard. Now that 4D has the tools to use Active Directory, they 
> should be used exclusively, without any custom feature access management 
> buried inside the application. System Administrators want to set access 
> privileges in Active Directory, not in 4D (and they definitely don’t want to 
> do it both places). I’ve never done the work in 4D, so I don’t have any 
> implementation details on how this would be done in 4D, but it appears, from 
> the 4D Blog posting, that v17R3 can do this.

Hi Tom,

You can remove all users and access privileges from 4D and put time into Active 
Directory. You may have to create some Custom Active Directory Attributes to 
store the information needed for you access privileges — what groups a user 
belongs to as an example. Then you can use the 4D LDAP commands to query Active 
Directory for this information in the users account. It is totally doable with 
v17. 

I asked client that I have implemented the 4D SSO system I’ve been talking 
about if they wanted to move everything to Active Directory. We talked about 
what custom attributes would need to be created and the cost to do all of this. 
They decided to start with just the authentication part and leave the user 
access privileges in 4D for now. At some point in the future we plan to move 
all the user privileges out of 4D and put them into Active Directory. 

Tim

*
Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com
*

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-09 Thread Tim Nevels via 4D_Tech 
On Jan 8, 2019, at 6:38 AM, Robert ListMail  wrote:

> Right, I understand the SSO as originally explained—that was very helpful. 
> Yet, for testing purposes at my location (without the authentication server) 
> or at the client site when you might need to login as a specific user, how 
> might you switch to/from SSO or not? I suppose there is an authentication 
> sequence used by 4D where it tries to use SSO if the checkbox is checked in 
> preferences and if no server is found or the authentication 4D code is not 
> called then the traditional built-in 4D Password system will be in effect? 
> See? I’m not sure how to switch or when SSO is automatically in play.

Hi Robert,

When you turn on SSO on 4D Server with the “Authentication of user with domain 
server” checkbox, that just makes the “Current client authentication” command 
work. That’s it. Turning on that checkbox does not automate anything for you. 
The name of the checkbox may make you think that 4D will do something for you 
when you turn it on, but it really does nothing but make a single command 
return a value you can rely on. 

You are in control of everything. There is nothing handled for you 
automatically. You program your 4D application to work the way you want it to 
work. It is all up to you.  You must write code to do what you want. 

Seems like people think that turning on the “Authentication of user with domain 
server” checkbox on 4D Server will cause 4D to do something for you. Do some 
work for you. Make something happen for you. It doesn’t. All it does is make 
“Current client authentication” command return a value on Windows that you can 
trust. 

How you use the information from the "Current client authentication” command is 
completely up to you. 

Tim

*
Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com
*

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-09 Thread Tim Nevels via 4D_Tech 
On Jan 8, 2019, at 10:36 AM, Tom Benedict  wrote:

> Here’s a link to instructions on how to set up a test Active Directory 
> instance which might work for your testing. I haven’t tried it yet. 
> https://auth0.com/docs/connector/test-dc It might help.
> 
> As far as switching between 4D Authentication and SSO, I’m thinking that 
> would be very useful. Even Microsoft SQL Server offers the option of 
> Authentication via Windows Login (Active Directory) or SQL Server Login at 
> client login time. The documentation doesn’t mention that kind of support 
> though. 
> http://doc.4d.com/4Dv17/4D/17/Single-Sign-On-SSO-on-Windows.300-3743254.en.html
>  I haven’t verified this.

Hi Tom,

It is up to you the 4D Designer and developer of your application to do the 
switching. You must do this via programming code and settings changes you make 
in the Design environment. 4D’s SSO implementation is just to make the “Current 
client authentication” command work. That’s it. 

You say “switching between 4D Authentication and SSO”, but exactly what do you 
mean? Is “4D Authentication” mean using the built in 4D User and Groups system 
and the dialog box that 4D provides when you have assigned a password to the 
Designer user?

What do you mean when you say “SSO”? Are you saying you have turned on the 
“Authentication of user with domain server” checkbox? Because once you turn on 
that checkbox your database continues to function exactly the same as if it is 
off. Nothing new happens. 

If your database shows the 4D User dialog box to allow selecting a user and 
typing in a password, turning on the “Authentication of user with domain 
server” checkbox will not change that. The dialog box will still be displayed 
to users when they try to connect to 4D Server. 

You must change your database so that it does not display the 4D User login 
dialog box. You must make that stop appearing by using the “Default user” 
option.  

https://doc.4d.com/4Dv17/4D/17/Setting-a-Default-User.300-3743513.en.html

Then you can write code in your “On Startup” method to call the “Current client 
authentication” command and do something with the information it returns. You 
decide via your programming code whether to let the user get into your 
application or you call “QUIT 4D” and not let them in. 

Tim

*
Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com
*

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-08 Thread Tom Benedict via 4D_Tech 
Hi Robert,

Here’s a link to instructions on how to set up a test Active Directory instance 
which might work for your testing. I haven’t tried it yet. 
https://auth0.com/docs/connector/test-dc 
 It might help.

As far as switching between 4D Authentication and SSO, I’m thinking that would 
be very useful. Even Microsoft SQL Server offers the option of Authentication 
via Windows Login (Active Directory) or SQL Server Login at client login time. 
The documentation doesn’t mention that kind of support though. 
http://doc.4d.com/4Dv17/4D/17/Single-Sign-On-SSO-on-Windows.300-3743254.en.html 

 I haven’t verified this.

Tom

> On Jan 8, 2019, at 04:38, Robert ListMail via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> Hi Tim,
> 
> Right, I understand the SSO as originally explained—that was very helpful. 
> Yet, for testing purposes at my location (without the authentication server) 
> or at the client site when you might need to login as a specific user, how 
> might you switch to/from SSO or not? I suppose there is an authentication 
> sequence used by 4D where it tries to use SSO if the checkbox is checked in 
> preferences and if no server is found or the authentication 4D code is not 
> called then the traditional built-in 4D Password system will be in effect? 
> See? I’m not sure how to switch or when SSO is automatically in play.
> 
> Thanks,
> 
> Robert
> 
> Sent from my iPhone
> 
>> On Jan 5, 2019, at 9:34 PM, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> 
>> wrote:
>> 
>> You don’t want to use 4D’s password system directly.
> 

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-08 Thread Robert ListMail via 4D_Tech 
Hi Tim,

Right, I understand the SSO as originally explained—that was very helpful. Yet, 
for testing purposes at my location (without the authentication server) or at 
the client site when you might need to login as a specific user, how might you 
switch to/from SSO or not? I suppose there is an authentication sequence used 
by 4D where it tries to use SSO if the checkbox is checked in preferences and 
if no server is found or the authentication 4D code is not called then the 
traditional built-in 4D Password system will be in effect? See? I’m not sure 
how to switch or when SSO is automatically in play.

Thanks,

Robert

Sent from my iPhone

> On Jan 5, 2019, at 9:34 PM, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> You don’t want to use 4D’s password system directly.

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-06 Thread Tim Nevels via 4D_Tech 
On Jan 6, 2019, at 12:52 AM, Tom Benedict  wrote:

> It doesn’t look like your scheme gets access privileges from Windows Active 
> Directory, instead you are getting them from your Users table. Is that 
> correct?

No. I am getting access privileges by using the "Current client authentication” 
4D command. I depend on that command giving me THE TRUTH. The truth begins with 
a valid Window Login Name. Once I have this string of bytes that define a user 
name I can rely on then that is something to authenticate with. Current client 
authentication = “timnevels”, then “timnevels” is a string of bytes I can rely 
on. So that is part one. Define “the truth”. 

> Do you also use 4D Users & Groups to define Groups to manage access to 
> application features? So you don’t use the LDAP commands to get 4D Groups for 
> the authenticated user?

I could have used 4D Users and Groups, but I chose not to. I am using my own 
table based way to store allowed users and what they can do.

I could have also chosen to build all the 4D User and Groups information into 
the Windows Active Directory system and then I would query using LDAP to see if 
the user name was allowed into the 4D database and what that user could do.

You have fallen for the trap. I did the same thing until I realized that you 
have to trust something. The trap is to not break this into 2 parts. Who do you 
trust? And then what do you do with this trusted information? 

You need to separate 4D authentication into 2 parts: 1) getting a user name or 
identifier that you can trust. You can do it all yourself with 4D Users or your 
own [Users] table. Then you prove the user has authorization to use that user 
name by having them provide a password you can validate. 

Or you can trust someone else to do the password validation for a particular 
user name. That is what SSO is all about. You trust Windows Active Directory to 
validate a password for a particular Windows Login Name. 

I am trusting that "Current client authentication” 4D command gives me THE 
TRUTH. The truth begins with a valid Window Login Name. Once I have this string 
of bytes that define a user name I can rely on, then that is something to 
authenticate with. Current client authentication = “timnevels”, then 
“timnevels” is a string of bytes I can rely on. So that is part one. 

Part 2 is what you do with that valid user name. Once you have a valid user 
name, you can use whatever method you want to check permissions or privileges 
or groups that user name belongs to. You decide that. For me SSO is just user 
name and password validation. 

> Another question that comes to mind is why can't something similar to this 
> work under MacOS? Isn’t there an LDAP equivalent for MacOS?

There probably is. I would connect with 4D and see if they have considered 
that. I’m sure they did, but probably decide not to implement it because 
Windows deployment is the majority of 4D’s user base. 

Also, the Windows Active Directory is a standard that is supported on ALL 
Windows operating systems. So only a single thing must be implemented and 
supported. 

Not sure what is guaranteed to be available on ALL macOS systems from versions 
with a macOS server, without a macOS server, just doing File Sharing, etc. I’m 
guessing there are many LDAP possibilities for macOS, but no standard and 
nothing guaranteed like there is on Windows OS.

Tim

*
Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com
*

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-05 Thread Tom Benedict via 4D_Tech 
Tim,

It doesn’t look like your scheme gets access privileges from Windows Active 
Directory, instead you are getting them from your Users table. Is that correct? 
Do you also use 4D Users & Groups to define Groups to manage access to 
application features? So you don’t use the LDAP commands to get 4D Groups for 
the authenticated user?

The benefit of that is that the system administrators don’t need to know 
anything about how to edit 4D Users & Groups or update a custom User & Groups 
system (which appears your case).

Another question that comes to mind is why can't something similar to this work 
under MacOS? Isn’t there an LDAP equivalent for MacOS?

Tom Benedict

> On Jan 5, 2019, at 19:34, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> wrote:
> 
> 4D SSO implementation boils down to a single command “Current client 
> authentication”. Use that instead of “Current system user” command. This will 
> give you a guaranteed Windows login name that has been authenticated via 
> Windows Active Directory. This gives you reliable user identification. 
> 
> Once you have a user login name you can depend on — that’s what SSO and the 
> “Current client authentication” command does for you — you can then check if 
> that user login name is allowed into your database. In my case I just check 
> for a record in the [Users] table. 
> 

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-05 Thread Tim Nevels via 4D_Tech 
On Jan 5, 2019, at 2:00 PM, Robert wrote:

> Tim, I just toggled on the checkbox on the server that activates this feature 
> but I’ve not implemented the code just yet….  So, how do you specify that you 
> are logging in with the local 4D password instead of SSO? Modifier keys? 
> Hidden Menu? Also, I’m not sure when the SSO login is in effect. Once the SSO 
> code is in effect will you lock yourself out if the authentication server is 
> down or you are developing on a different network without AD services?

Hi Robert,

You don’t want to use 4D’s password system directly. You can use it behind the 
scenes so that you have access to “Current user” command as has been discussed 
here at length. But for SSO to work, you don’t want the user to have to do 
anything. They do absolutely nothing. So do not let them chose to use SSO or 
not. 

I would not plan on the authentication server every being down. That is total 
death for a Windows network. That means NOBODY can log into any computer on the 
network. So if the authentication server is down, accessing your 4D database 
will be the least of their worries. They won’t even be able to boot their 
computers or access network file shares. 

One way to look at SSO in 4D is to boil it down to the implementation basics. 
You need to identify the user automatically without any interaction from a 
person.Who is trying to get access to my database? That’s it. 

You can use “Current system user” command to get the name of the user that has 
logged into the machine. On Windows OS this is the windows login name. 

4D SSO implementation boils down to a single command “Current client 
authentication”. Use that instead of “Current system user” command. This will 
give you a guaranteed Windows login name that has been authenticated via 
Windows Active Directory. This gives you reliable user identification. 

Seems like people just can’t seem to get their heads around using 4D’s SSO 
system to replace an existing authentication system. So i’m going to provide 
some code that I use in my “Login” method. It is designed to use 4D SSO 
implementation as primary authentication, but it also works without it and on 
macOS. <>authenticatedUser_b is used in other areas of the application so that 
I know if i used SSO to authenticate.

  // get the Windows login name
$windowsUserLogin_t:=Current client authentication($domain_t;$protocol_t)

  // check login validity
Case of 
: (Is macOS)  // running on macOS
$windowsUserLogin_t:=Current system user
<>authenticatedUser_b:=False

: (Not(Is compiled mode))
$windowsUserLogin_t:=Current system user
<>authenticatedUser_b:=False

: ($windowsUserLogin_t="")  // an authenticated login could not be 
retrieved
<>authenticatedUser_b:=False
  // show user messasge and quit
Msg ("Unable to authenticate user and retrieve Windows Login 
Name"+Char(Carriage return)+\
"Login Name: "+Current system user+Char(Carriage return)+\
"Domain: "+$domain_t+Char(Carriage return)+\
"Protocol: "+$protocol_t;"Error")
QUIT 4D

Else   // got authenticated login situation
<>authenticatedUser_b:=True
End case 

// look for user and load preferences and groups
If ($windowsUserLogin_t#"")
READ ONLY([Users])
QUERY([Users];[Users]WindowsLoginName=$windowsUserLogin_t)
If (Records in selection([Users])=1)
  // save user name & ID
<>CurrentUserName:=[Users]UserName
<>CurrentUserID:=[Users]ID
  // load preferences
LoadUserPreferences ([Users]ID)
  // load privileges
GetUserGroups ([Users]ID;-><>CurrentUserGroupsA)
$loginSuccessful_b:=True
End if 
End if 

  // display dialog of User to login
If (Not($loginSuccessful_b))
<>authenticatedUser_b:=False
OpenWindow (270;270;Movable dialog box;"Login";2)
DIALOG([Dialogs];"Login")
CLOSE WINDOW
End if 

The above code first tries to use "Current client authentication”. If 4D Client 
is running on Windows and 4D is configured to have SSO turned on — and it is 
working — you get a $windowsUserLogin_t value. The remaining code deals with if 
SSO is not available for use such as if you are not running compiled or are 
running on macOS. Convenience code basically for my use when doing development 
and testing. 

Once you have a user login name you can depend on — that’s what SSO and the 
“Current client authentication” command does for you — you can then check if 
that user login name is allowed into your database. In my case I just check for 
a record in the [Users] table. 

The above code also handles the situation where authentication totally fails 
and as a very last resort

Re: 4D Authentication Strategy...

2019-01-04 Thread Robert ListMail via 4D_Tech 
Right, I’ll look at that video again. I recall Tim saying that there was some 
confusion and unnecessary coding on the server side and that his successful and 
simple code was client side only. Anyway that’s my recollection. 

Thanks,

Robert

Sent from my iPhone

> On Jan 4, 2019, at 8:33 PM, Keisuke Miyako via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> I would urge you to take a look at the video,
> 
> https://blog.4d.com/single-sign-on-sso/
> 
> it show the code on the client side and the server side that manages 
> authentication.
> 
>> 2019/01/05 6:36、Robert ListMail via 4D_Tech <4d_tech@lists.4d.com>のメール:
>> 
>> Tim, I just toggled on the checkbox on the server that activates this 
>> feature but I’ve not implemented the code just yet….  So, how do you specify 
>> that you are logging in with the local 4D password instead of SSO? Modifier 
>> keys? Hidden Menu? Also, I’m not sure when the SSO login is in effect. Once 
>> the SSO code is in effect will you lock yourself out if the authentication 
>> server is down or you are developing on a different network without AD 
>> services?
> 
> 
> 
> 
> **
> 4D Internet Users Group (4D iNUG)
> Archive:  http://lists.4d.com/archives.html
> Options: https://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-04 Thread Keisuke Miyako via 4D_Tech 
I would urge you to take a look at the video,

https://blog.4d.com/single-sign-on-sso/

it show the code on the client side and the server side that manages 
authentication.

> 2019/01/05 6:36、Robert ListMail via 4D_Tech <4d_tech@lists.4d.com>のメール:
>
> Tim, I just toggled on the checkbox on the server that activates this feature 
> but I’ve not implemented the code just yet….  So, how do you specify that you 
> are logging in with the local 4D password instead of SSO? Modifier keys? 
> Hidden Menu? Also, I’m not sure when the SSO login is in effect. Once the SSO 
> code is in effect will you lock yourself out if the authentication server is 
> down or you are developing on a different network without AD services?




**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2019-01-04 Thread Robert ListMail via 4D_Tech 
Tim, I just toggled on the checkbox on the server that activates this feature 
but I’ve not implemented the code just yet….  So, how do you specify that you 
are logging in with the local 4D password instead of SSO? Modifier keys? Hidden 
Menu? Also, I’m not sure when the SSO login is in effect. Once the SSO code is 
in effect will you lock yourself out if the authentication server is down or 
you are developing on a different network without AD services?

Thanks,

Robert

Sent from my iPhone

> On Nov 14, 2018, at 11:56 AM, Robert ListMail via 4D_Tech 
> <4d_tech@lists.4d.com> wrote:
> 
> I do still have a password field in my [Users] table and a special way that I 
> can log in to the database as any [Users] record using that password. But 
> that’s only for me and the IT administrator when we need to do testing of 
> permissions or privileges in the database as another user.

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-15 Thread Robert ListMail via 4D_Tech 
Oops! Sorry about that—I had no idea!!!

Many Thanks Helge. I see it’s almost 7 in the evening your time—god kveld.

Robert

> On Nov 15, 2018, at 2:36 AM, 4dialog via 4D_Tech <4d_tech@lists.4d.com> wrote:
> 
> By the way, Hilsen = Greeting in norwegian :)

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-15 Thread 4dialog via 4D_Tech 
I use 4d auth but store aditional data about the user in tables.
The user list is exported only on server, only server admin can access it.
But you can store it in the db as well. The 4d user list can be changed by
the 4d admin user, so export from stucture is done every night in the backup
process. Import is done for every startup of 4d server, either its new
structure or not.
All is then automaticly, no problems when updating structure :)

By the way, Hilsen = Greeting in norwegian :)




-
Hilsen
--
Helge Antonsen
www.4dialog.no 
--
Sent from: http://4d.1045681.n5.nabble.com/4D-Tech-f1376241.html
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-14 Thread Robert ListMail via 4D_Tech 
Hi Hilsen, thanks for your input.

So, if you are storing users in user tables, couldn’t that be used to restore a 
new structure? When you say you are storing lists outside of the DB you lose 
me.  With your strategy, is the structure or the data file the authority? Are 
you using your own custom dialog for all authentication?

Thanks,

Robert

> On Nov 9, 2018, at 2:00 AM, 4dialog via 4D_Tech <4d_tech@lists.4d.com> wrote:
> 
> I always use both, 4d user and user tables to add info about the user. 4D
> user has a uniq id, so its easy to add records about any user. When updating
> versions on the server, i just sends the 4D users to a list that can be
> stored outside or in the dbase and replace them after startup of server.

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-14 Thread Robert ListMail via 4D_Tech 
Thanks Jim, for the database I’m working on I might be able to get by with a 
couple of checkboxes that represent groups and not really have a groups table. 
I’m planning to have all of the database users in a users table and to 
authenticate against that and to also verify that there is a matching 4D user 
in the structure and to automatically create one if necessary. BTW: the main 
benefits of having the users in the table is that I need to record a user ID to 
certain records that have been created and I need user initials and when new 
structure is delivered the credentials are all in place. Oh, and if I decide to 
implement SSO I already have a Windows_ID field ready to go. So, I’m trying to 
keep it simple. I’ve never tried to do to this way, I call it a hybrid approach 
since it uses table and structure based resources. Any ideas on ways to keep it 
simple are appreciated.

Robert

> On Nov 14, 2018, at 3:39 PM, Jim Labos - infobase via 4D_Tech 
> <4d_tech@lists.4d.com> wrote:
> 
> We roll our own mostly. Using a list of available "action". Each user then
> either has or has not permission for the "action". 

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-14 Thread Robert ListMail via 4D_Tech 
Tim, I just toggled on the checkbox on the server that activates this feature 
but I’ve not implemented the code just yet….  So, how do you specify that you 
are logging in with the local 4D password instead of SSO? Modifier keys? Hidden 
Menu? Also, I’m not sure when the SSO login is in effect. Once the SSO code is 
in effect will you lock yourself out if the authentication server is down or 
you are developing on a different network without AD services?

Thanks,

Robert

> On Nov 9, 2018, at 9:08 AM, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> I do still have a password field in my [Users] table and a special way that I 
> can log in to the database as any [Users] record using that password. But 
> that’s only for me and the IT administrator when we need to do testing of 
> permissions or privileges in the database as another user. 

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-14 Thread Robert ListMail via 4D_Tech 
Supercool Tim!

BTW: did you have a way of testing this in your office?  Right now I’m thinking 
that when I’m connected to the client VPN I’d have access to that Windows 
server for authentication.

Thanks,

Robert

> On Nov 9, 2018, at 9:08 AM, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> This is going to be my standard, default way of letting users connect to 4D 
> Server on pure Windows environments. Totally eliminates the need to save 
> passwords in the 4D data file. No need to implement a change password” 
> feature in your database. No need for a “login” dialog box for the average 
> user. 

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Authentication Strategy...

2018-11-09 Thread Tim Nevels via 4D_Tech 
On Nov 9, 2018, at 7:34 AM, Robert ListMail wrote:

> I’ve inherited many 4D databases over the years and some have a custom 
> password system and some use the built in 4D system or a hybrid approach. I 
> know that 4D also allows authentication via Active Directory (single sign on) 
> but I’ve not implemented that. So, I’m looking to enhance a few legacy 
> systems and wanted to consider my authentication strategy... I’ll probably 
> want to keep the users and groups in the data file so that the data would 
> always be valid after structure changes and to store more data about each 
> user. Also, what if users could register on the system and use the system to 
> reset passwords and such just like a public web site, this would lighten the 
> load for the admin... I know this was all the rage 20 years ago. So, have you 
> rolled your own password system in 4D? What are the key benefits in your 
> situation?

I have a table called [Users] that stores authorized users of the database. In 
the past it was the sole authentication system. Didn’t use 4D’s password system 
because it is structure based and installing new version of the structure 
required extra work to reload the 4D password system. 

But I sorely missed the “Current user” command. I wanted to be able to use it 
in Triggers. I tried several ways to pass this information into triggers and 
all were cumbersome and prone to failure in certain situations whereas the 
“Current user” command was so easy and always worked. Guaranteed.

So I started using what I call a dynamically built 4D password system. I still 
use the [Users] table to lookup if a person is allowed into the database but 
once I know the user is allowed in I do this:

GET USER LIST($userName_at;$userNumber_al)
$i:=Find in array($userName_at;$theUserName_t)
If ($i<1)  // 4D user does not exist, so create it
$i:=-2  // created by the Administrator user
$i:=Set user 
properties($i;$theUserName_t;"";$password_t;0;!00-00-00!;$groups_al)
// pause for 1 second to work around -9978 Bad user password error 
   DELAY PROCESS(Current process;60) 
   CHANGE CURRENT USER($theUserName_t;”**")
End if 

That makes sure there is a 4D password system user — with the name I want — is 
available. If not, I create it and then CHANGE CURRENT USER to that user so 
that “Current user” command now works. That’s the primary reason for me to do 
all of this. 

It is simple and does not require any special saving and loading of the 4D 
password system when the database stops or starts. 

I’ve now started moving away from even storing passwords in the [Users] table 
and doing all authentication with the 4D SSO Active Directory integration. It’s 
so simple to use once you clear away the debris surrounding it. Here’s my 
implementation and why I do it this way.

First, you must be using Windows 64bit 4D Server v15 R5 or newer and have New 
Network Layer turned on. Of course you need all your users to authenticate to 
Active Directory using the default NTLM protocol, but it does support Kerberos 
if you do some extra setup work. Once you have all that in place, you just 
check the “Authentication of user with domain server” checkbox on 4D Server and 
setup is done. It is ready to use. 

In your [Users] table add a field for the “Windows login name” that a person 
uses. Windows guarantees it is unique for a domain. If you want to support 
multiple domains you can do that too by adding a “domain” field to the table. 
To allow someone to access the database, create a [Users] record with the name 
you want reported by “Current user” and the Windows login name that person will 
be using. That’s your lookup key.

In "On Startup" you use the “Current client authentication” command to retrieve 
the Windows login name that was verified and authenticated with Active 
Directory. Use that to query the [Users] table and if you find a match, let the 
user in. Authentication is done, no password needed, no checking of any 
password, you are doing SSO and you let Windows control the original sign on to 
the network and you trust that. 

Don’t use “Current system user” command. This returns the same login name, but 
it it not guaranteed to be authenticated to Active Directory. 

Example: A person could bring in a laptop from home, create a local user 
account on that machine with a matching Windows login name, sign in to that 
machine with that login and then plug that machine into the corporate network. 
They get a DHCP assigned IP address. Then they get a copy of 4D Client, put it 
on the machine and launch it. Bang, they are into the database. You can only 
trust “Current client authentication” to give you the Windows login name that 
has been reliably authenticated. 

You don’t really need to store a password in the [Users] table. You are going 
to let Windows control authentication. Don’t be afraid of this, that’s how it 
is supposed to work.

I do still have a password field in my [Users]

Re: 4D Authentication Strategy...

2018-11-09 Thread 4dialog via 4D_Tech 
I always use both, 4d user and user tables to add info about the user. 4D
user has a uniq id, so its easy to add records about any user. When updating
versions on the server, i just sends the 4D users to a list that can be
stored outside or in the dbase and replace them after startup of server.

Using extra tables for users makes it easy to implement password strategy
for change with change date, md5 check of old passwords etc, but most of all
i can build individual ListBox settings for all table listing - each user
can have different fields, fonts, color etc pr table lists.



-
Hilsen
--
Helge Antonsen
www.4dialog.no 
--
Sent from: http://4d.1045681.n5.nabble.com/4D-Tech-f1376241.html
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

4D Authentication Strategy...

2018-11-08 Thread Robert ListMail via 4D_Tech 
I’ve inherited many 4D databases over the years and some have a custom password 
system and some use the built in 4D system or a hybrid approach. I know that 4D 
also allows authentication via Active Directory (single sign on) but I’ve not 
implemented that. So, I’m looking to enhance a few legacy systems and wanted to 
consider my authentication strategy... I’ll probably want to keep the users and 
groups in the data file so that the data would always be valid after structure 
changes and to store more data about each user. Also, what if users could 
register on the system and use the system to reset passwords and such just like 
a public web site, this would lighten the load for the admin... I know this was 
all the rage 20 years ago. So, have you rolled your own password system in 4D? 
What are the key benefits in your situation?

Thanks,

Robert

Sent from my iPhone
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**