[Typo3-dev] S: Sponsoring Windows authentification in TYPO3
Hans J. Martin
hans-jakob.martin at gmx.net
Thu Aug 26 09:58:40 CEST 2004
..just forgot the third way:
If you don't have an instance for auth, a solution would be to just crypt
the plaintext stored pw from fe_users the same way as the ie does in NTLM.
Maybe there do exist some classes for this right now - haven't found them
last year (when coded this). Has anybody done a encryption class? It would
be a task of just a few hours then to make a reliable extension for sso!
Rgds,
Hans
"Hans J. Martin" <hans-jakob.martin at gmx.net> schrieb im Newsbeitrag
news:mailman.1.1093506307.13377.typo3-dev at lists.netfielders.de...
> Hi Juergen!
>
> Auth for IE intranet uses NTLM.
> The protocoll is easy to understand as they are just 'abusing' the http -
> and we don't need any apache modules or something else:
> I have already done half the way - I can get the encoded password of the
> logged in user, crypted with given credentials. Unfortunatly I haven't had
> the time to figure out how to decode this :-)
>
> There are some options to build a workaround:
> 1. make our auth module behave like a proxy between the client and some
> instance, e.g. samba, NT Server or s.th. else, which can auth the user
with
> NTLM. Most applications do it in this way.
>
> 2. store the crypted password in the fe_user table - so the user will have
> to auth the first time he logs in with e.g. a plain text password stored
in
> fe_user or against an ldap or s.th else (not NTLM able auth). Our module
> generated the crypted password and stores this one in the fe_user table.
The
> intranetuser can now log in as long as he doesn't change his windows
> password. If he does, he will have to login manually one time to update
the
> database.There are certainly some security issues, because we have to
> hardcode the credentials wich are used by the client to crypt his
password.
> So this might be as risky as sending plaintext pw over the net.
>
> Most of the mechanism can be found on samba.org - they have certainly
> studied a lot of the windows security...
>
> Rgds,
> Hans
>
> "Juergen Egeling" <egeling at punkt.de> schrieb im Newsbeitrag
> news:mailman.97.1093444474.11015.typo3-dev at lists.netfielders.de...
> > Hallo,
> > for one client we are looking for the following solution:
> > Situation: The client has a windows network and Windows
> > directory services installed. He now wants that the TYPO3
> > users get authenticated thru the windows directory as well.
> > (TYPO3 will run in a linux box, samba authentification might
> > be an option, if this helps.)
> > We need the authentification on the frontend and on the
> > backend as well.
> > On the frontend the user should get notified (logged in), and
> > see "his" view of the FE system, he can e.g. change his user
> > data, ...
> > On the backend users should get authenticated and than be able
> > to behave as a BE user, that belongs to a certain group.
> > I found LDAP authentification, but our client wants it to
> > be implemented in the way, that logged in Windows users, do not
> > have to authenticate again. The (new) TYPO3 authentification
> > process should notice this automatically.
> > *Plus* he wants a "logout" button, where the user can login
> > under a different TYPO3 user. (This is want does not go to my
> > brain, because I think either he is logged in under windows and
> > gets automatically authenticated, *or* he has to login in
> > TYPO3 and can change his user-id, ...)
> > We are willing to sponsor existing(?) implementations to a certain
> > amount. Please write any ideas you might have. The time frame
> > is tight, we need a decision soon, or the clients drops to
> > something else,...
> >
> > Juergen
> > --
> > punkt.de GmbH Internet-Dienstleistungen-Beratung
> > Vorholzstr. 25 Tel.: 0721 9109-0 Fax: -100
> > 76137 Karlsruhe info at punkt.de http://punkt.de/
> >
>
>
More information about the TYPO3-dev
mailing list