RE: Proper Authentication with CFLDAP?
AD is closest to #2 in your list. Mike -Original Message- From: Shannon Peevey [mailto:[EMAIL PROTECTED] Sent: Friday, October 24, 2008 8:54 AM To: cf-talk Subject: Re: Proper Authentication with CFLDAP? There are three types of binds that a LDAP server can be configured for: 1. anonymous - the tree is world readable, so no credentials are checked, and your search has all of the rights granted to "anonymous" 2. user bind - the user authenticates against the tree, and has rights granted based upon the users rights. (no anonymous reads usually). 3. unauthenticated - anonymous binding with user dn, but no password. 1 and 2 are the most prevalent. I don't have as much experience with Active Directory, so they may have extended these possibilities. speeves ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314342 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Proper Authentication with CFLDAP?
There are three types of binds that a LDAP server can be configured for: 1. anonymous - the tree is world readable, so no credentials are checked, and your search has all of the rights granted to "anonymous" 2. user bind - the user authenticates against the tree, and has rights granted based upon the users rights. (no anonymous reads usually). 3. unauthenticated - anonymous binding with user dn, but no password. 1 and 2 are the most prevalent. I don't have as much experience with Active Directory, so they may have extended these possibilities. speeves On Fri, Oct 24, 2008 at 8:38 AM, Dawson, Michael <[EMAIL PROTECTED]>wrote: > It depends on your LDAP server. It appears that you are not using > Active Directory due to the way you have handled your start and username > attributes. AD allows any domain user to query the directory. > > Other servers, such as Novell DS, may require you to first query the > directory for the DN of the user who is trying to authenticate. This > first query will require a known username and password. > > Then, the second query will take the first query's DN and use it as the > username. If all works, then, the user is authenticated. > > However, I have worked with a Novell server that doesn't require a > username/password at all. From what I am told, this is common for > Novell servers. > > There are a couple of improvements I would suggest. > > 1. As Shannon said, for the START, you can specify the root of the users > container, rather than the DN of the user object. If you are told to > specify the DN in the START, then change your SCOPE to BASE. There is > no SUBTREE for a single object. Therefore, there is no need to ask the > LDAP server to search through sub-OUs when you just told it the exact > destination. It doesn't hurt, but it's confusing when reading the code. > > 2. While authenticating, you can also bring out other attributes such as > givenName, sn, mail, etc. Currently, you are returning only cn. You > may need other attributes within your application, so why not > authenticate, and get their values, in a single request? > > 3. You don't need the part of your condition. You already know > the UserIsValid variable is 0. > > Mike > > -Original Message- > From: Marie Taylore [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 23, 2008 4:01 PM > To: cf-talk > Subject: Proper Authentication with CFLDAP? > > I just received this code as the "proper" way to "bind" someone during > an LDAP login to a ColdFusion App. Is this really the right way? > > > >name="Authenticate" >start="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" >attributes="cn" >scope="SUBTREE" >server="#OurServer#" >username="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" >password="#password#"> > > > > > > > > > > > > >Sorry, login failed. > > > > If they pass the CFABORT above, they're "authenticated" to your app. > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314341 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Proper Authentication with CFLDAP?
It depends on your LDAP server. It appears that you are not using Active Directory due to the way you have handled your start and username attributes. AD allows any domain user to query the directory. Other servers, such as Novell DS, may require you to first query the directory for the DN of the user who is trying to authenticate. This first query will require a known username and password. Then, the second query will take the first query's DN and use it as the username. If all works, then, the user is authenticated. However, I have worked with a Novell server that doesn't require a username/password at all. From what I am told, this is common for Novell servers. There are a couple of improvements I would suggest. 1. As Shannon said, for the START, you can specify the root of the users container, rather than the DN of the user object. If you are told to specify the DN in the START, then change your SCOPE to BASE. There is no SUBTREE for a single object. Therefore, there is no need to ask the LDAP server to search through sub-OUs when you just told it the exact destination. It doesn't hurt, but it's confusing when reading the code. 2. While authenticating, you can also bring out other attributes such as givenName, sn, mail, etc. Currently, you are returning only cn. You may need other attributes within your application, so why not authenticate, and get their values, in a single request? 3. You don't need the part of your condition. You already know the UserIsValid variable is 0. Mike -Original Message- From: Marie Taylore [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2008 4:01 PM To: cf-talk Subject: Proper Authentication with CFLDAP? I just received this code as the "proper" way to "bind" someone during an LDAP login to a ColdFusion App. Is this really the right way? Sorry, login failed. If they pass the CFABORT above, they're "authenticated" to your app. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314340 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Proper Authentication with CFLDAP?
Yes, this would let you know that they are authenticated. It assumes that you LDAP server allows users to read from the tree. I'm not sure about using the full DN to the object with the start key. I always use the people container. Here is my example: Don't forget to authorize the user as well :) speeves On Thu, Oct 23, 2008 at 4:01 PM, Marie Taylore <[EMAIL PROTECTED]>wrote: > I just received this code as the "proper" way to "bind" someone during an > LDAP login to a ColdFusion App. Is this really the right way? > > > >name="Authenticate" >start="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" >attributes="cn" >scope="SUBTREE" >server="#OurServer#" >username="uid=#username#,ou=#OurOU#,dc=#OurDC#,dc=#OurDC2#" >password="#password#"> > > > > > > > > > > > > >Sorry, login failed. > > > > If they pass the CFABORT above, they're "authenticated" to your app. > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314320 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
