[Typo3-dev] S: Sponsoring Windows authentification in TYPO3

Michael Stucki mundaun at gmx.ch
Thu Aug 26 13:34:28 CEST 2004 

Hi Juergen,

> for one client we are looking for the following solution:
> Situation: The client has a windows network and Windows
> directory services installed. He now wants that the TYPO3
> users get authenticated thru the windows directory as well.

Dominic Brander from Snowflake and I have modified the login class. The
authentication is now done in a single function that can be modified
however you like it.

So there are two parts:
- Windows authentication
    => several possibilities, see other replies
- Fetching the user data that will be stored in fe_users/be_users
    => We use fetch this data from an employee database and write it into
       fe_users on every log in. But you can modify this to your needs of
       course.

> We need the authentification on the frontend and on the
> backend as well.

Our solution was only made for fe_users but I think it's no problem to make
it work for be_users, too.

> I found LDAP authentification, but our client wants it to
> be implemented in the way, that logged in Windows users, do not
> have to authenticate again. The (new) TYPO3 authentification
> process should notice this automatically.

We solved this very simple:
- After login, a cookie is set
- On every visit, the cookie will be re-set for xx more days

There are two problems with this method:
- If a user does not login for xx+1 days, he will have to enter his
  user/password again
- If an account will be disabled/locked in the Windows domain, he can still
  log into the TYPO3 system. (I don't think that this is a big problem
  because such a user could still not use the profile that contained his
  cookie. No cookie => no login!)

> *Plus* he wants a "logout" button, where the user can login
> under a different TYPO3 user. (This is want does not go to my
> brain, because I think either he is logged in under windows and
> gets automatically authenticated, *or* he has to login in
> TYPO3 and can change his user-id, ...)

Single-sign-on using NTLM _is_ possible even on Apache/Linux. There are
several Apache modules that provide such functionality.
However it seems to work bad with some IE version. Don't know why.

Since we don't use the NTLM authentication here (our users have to enter
user/password _once_ and I think this is not a big problem, is it?)
changing the username should be possible already.

(FYI, here we are using a form where the user enters his username/password.
Verification is done using the wbinfo command which is part of the Winbind
package. The password will _not_ be stored anywhere!)

> We are willing to sponsor existing(?) implementations to a certain
> amount. Please write any ideas you might have. The time frame
> is tight, we need a decision soon, or the clients drops to
> something else,...

Our solution _is_ already implemented & working. But...

- You will have to modify it to your own needs
- There is a small problem with the cookie info that gets lost for some
  strange reason. So currently our users need to enter the password again
  after 1 day, but as soon as I have solved that the solution is ready.

Best regards
- michael
-- 
Want support? Please read the list rules first: http://typo3.org/1438.0.html

More information about the TYPO3-dev mailing list