[Typo3-dev] S: Sponsoring Windows authentification in TYPO3
Hans J. Martin
hans-jakob.martin at gmx.net
Thu Aug 26 09:45:04 CEST 2004
Hi Juergen!
Auth for IE intranet uses NTLM.
The protocoll is easy to understand as they are just 'abusing' the http -
and we don't need any apache modules or something else:
I have already done half the way - I can get the encoded password of the
logged in user, crypted with given credentials. Unfortunatly I haven't had
the time to figure out how to decode this :-)
There are some options to build a workaround:
1. make our auth module behave like a proxy between the client and some
instance, e.g. samba, NT Server or s.th. else, which can auth the user with
NTLM. Most applications do it in this way.
2. store the crypted password in the fe_user table - so the user will have
to auth the first time he logs in with e.g. a plain text password stored in
fe_user or against an ldap or s.th else (not NTLM able auth). Our module
generated the crypted password and stores this one in the fe_user table. The
intranetuser can now log in as long as he doesn't change his windows
password. If he does, he will have to login manually one time to update the
database.There are certainly some security issues, because we have to
hardcode the credentials wich are used by the client to crypt his password.
So this might be as risky as sending plaintext pw over the net.
Most of the mechanism can be found on samba.org - they have certainly
studied a lot of the windows security...
Rgds,
Hans
"Juergen Egeling" <egeling at punkt.de> schrieb im Newsbeitrag
news:mailman.97.1093444474.11015.typo3-dev at lists.netfielders.de...
> Hallo,
> for one client we are looking for the following solution:
> Situation: The client has a windows network and Windows
> directory services installed. He now wants that the TYPO3
> users get authenticated thru the windows directory as well.
> (TYPO3 will run in a linux box, samba authentification might
> be an option, if this helps.)
> We need the authentification on the frontend and on the
> backend as well.
> On the frontend the user should get notified (logged in), and
> see "his" view of the FE system, he can e.g. change his user
> data, ...
> On the backend users should get authenticated and than be able
> to behave as a BE user, that belongs to a certain group.
> I found LDAP authentification, but our client wants it to
> be implemented in the way, that logged in Windows users, do not
> have to authenticate again. The (new) TYPO3 authentification
> process should notice this automatically.
> *Plus* he wants a "logout" button, where the user can login
> under a different TYPO3 user. (This is want does not go to my
> brain, because I think either he is logged in under windows and
> gets automatically authenticated, *or* he has to login in
> TYPO3 and can change his user-id, ...)
> We are willing to sponsor existing(?) implementations to a certain
> amount. Please write any ideas you might have. The time frame
> is tight, we need a decision soon, or the clients drops to
> something else,...
>
> Juergen
> --
> punkt.de GmbH Internet-Dienstleistungen-Beratung
> Vorholzstr. 25 Tel.: 0721 9109-0 Fax: -100
> 76137 Karlsruhe info at punkt.de http://punkt.de/
>
More information about the TYPO3-dev
mailing list