Fwd: NTLM and groups
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
|
|
|
Re: Fwd: NTLM and groups
by Steven Noels
::
Rate this Message:
On 08 Jul 2008, at 16:22, Tim McDonald wrote: > Hi > > I running in to a problem with the NTLM user authentication scheme > and was wondering if the daisy list could provide some pointers on > my potential solutions. > > I'm successfully set up Daisy to authenticate users against the > NTLM domain controller, the users are created. Everything's great :-) > > The problem I'm experiencing is that we'd actually like users to be > allocated different roles based upon the group they belong to in > the windows domain. For example, users in the student group of the > windows domain should be assigned the role of student in daisy. > Similarly, users belonging to the staff group of the windows domain > should be assigned the role of staff. Our IT chaps require this to > ensure the > > I've searched the daisy documentation and looked through the source > code for the authentication scheme (services/ntlm-auth). Both > sources don't appear to offer any guidance on how (or if) groups > can be incorporated in the set up of an authentication scheme. Tim, you're looking in the correct place but won't find anything since groups are currently not supported in the current scheme(s). As you've been reading the source code, I'm sure you found out that it's pretty easy to add your own auth scheme which does what you want there. http://cocoondev.org/daisydocs-2_3/373-cd/474-cd/470-cd/471-cd.html Hope this helps, </Steven> -- Steven Noels http://outerthought.org/ Outerthought Open Source Java & XML stevenn at outerthought.org Makers of the Daisy CMS _______________________________________________ daisy community mailing list Professional Daisy support: http://outerthought.org/en/services/daisy/support.html mail to: daisy@... list information: http://lists.cocoondev.org/mailman/listinfo/daisy |
|
|
Re: Fwd: NTLM and groups
by Tim McDonald-3
::
Rate this Message:
Steven
Thanks for the response. I'll have a crack at creating my own auth scheme. For anyone else wanting to go down this route I think that jcifs (the library used for ntlm authentication) can't deal with groups directly. However, jcifs provides a suggested work around... http://jcifs.samba.org/src/docs/api/jcifs/smb/SmbSession.html The class represents a user's session established with an SMB/CIFS server. This class is used internally to the jCIFS library however applications may wish to authenticate aribrary user credentials with the logon method. It is noteworthy that jCIFS does not support DCE/RPC at this time and therefore does not use the NETLOGON procedure. Instead, it simply performs a "tree connect" to IPC$ using the supplied credentials. This is only a subset of the NETLOGON procedure but is achives the same effect. Note that it is possible to change the resource against which clients are authenticated to be something other than IPC$using the jcifs.smb.client.logonShare property. This can be used to provide simple group based access control. For example, one could setup the NTLM HTTP Filter with the jcifs.smb.client.domainController init parameter set to the name of the server used for authentication. On that host, create a share called JCIFSAUTH and adjust the access control list for that share to permit only the clients that should have access to the target website. Finally, set the jcifs.smb.client.logonShare to JCIFSAUTH. This should restrict access to only those clients that have access to the JCIFSAUTH share. The access control on that share can be changed without changing init parameters or reinitializing the webapp. Cheers Tim ______________________________________________ Tim McDonald Research Assistant Dept of Mechanical Engineering University College London On 8 Jul 2008, at 15:30, Steven Noels wrote: > > On 08 Jul 2008, at 16:22, Tim McDonald wrote: > >> Hi >> >> I running in to a problem with the NTLM user authentication scheme >> and was wondering if the daisy list could provide some pointers on >> my potential solutions. >> >> I'm successfully set up Daisy to authenticate users against the >> NTLM domain controller, the users are created. Everything's great :-) >> >> The problem I'm experiencing is that we'd actually like users to be >> allocated different roles based upon the group they belong to in >> the windows domain. For example, users in the student group of the >> windows domain should be assigned the role of student in daisy. >> Similarly, users belonging to the staff group of the windows domain >> should be assigned the role of staff. Our IT chaps require this to >> ensure the >> >> I've searched the daisy documentation and looked through the source >> code for the authentication scheme (services/ntlm-auth). Both >> sources don't appear to offer any guidance on how (or if) groups >> can be incorporated in the set up of an authentication scheme. > > > Tim, > > you're looking in the correct place but won't find anything since > groups are currently not supported in the current scheme(s). As > you've been reading the source code, I'm sure you found out that > it's pretty easy to add your own auth scheme which does what you > want there. > > http://cocoondev.org/daisydocs-2_3/373-cd/474-cd/470-cd/471-cd.html > > Hope this helps, > > </Steven> > -- > Steven Noels http://outerthought.org/ > Outerthought Open Source Java & XML > stevenn at outerthought.org Makers of the Daisy CMS > > _______________________________________________ > daisy community mailing list > Professional Daisy support: http://outerthought.org/en/services/daisy/support.html > mail to: daisy@... > list information: http://lists.cocoondev.org/mailman/listinfo/daisy _______________________________________________ daisy community mailing list Professional Daisy support: http://outerthought.org/en/services/daisy/support.html mail to: daisy@... list information: http://lists.cocoondev.org/mailman/listinfo/daisy |
|
|
Re: Fwd: NTLM and groups
by Tim McDonald-3
::
Rate this Message:
Hi I've managed to get half way towards solving my problem with authenticating new user but with differing roles. I've now got a working authentication scheme plugin which (I think) checks that users are part of group using the permissions on an specified windows share. I'd quite like to document my solution so I've created a new account on the Daisy Community Wiki. I don't suppose someone could turn it on (username: timmcd). I do have one remaining question (or possibly a new feature request). Can the authenticator be set to work in a cascade mode? (ie. defining multiple authentication schemes which are then applied in sequence if an earlier authentication Scheme fails). <target path="/daisy/repository/authentication/authenticator"> <configuration> <!-- Indicates which authentication scheme to use, if any, to automatically create new users. --> </configuration> </target>Best regards Tim
_______________________________________________ daisy community mailing list Professional Daisy support: http://outerthought.org/en/services/daisy/support.html mail to: daisy@... list information: http://lists.cocoondev.org/mailman/listinfo/daisy |
|
|
Re: Fwd: NTLM and groups
by karel_vervaeke
::
Rate this Message:
Access granted. Nice of you to share your work!
On Thu, 2008-07-10 at 16:35 +0100, Tim McDonald wrote: > Hi > > > I've managed to get half way towards solving my problem with > authenticating new user but with differing roles. I've now got a > working authentication scheme plugin which (I think) checks that users > are part of group using the permissions on an specified windows share. > > > I'd quite like to document my solution so I've created a new account > on the Daisy Community Wiki. I don't suppose someone could turn it on > (username: timmcd). > > > I do have one remaining question (or possibly a new feature request). > Can the authenticator be set to work in a cascade mode? (ie. defining > multiple authentication schemes which are then applied in sequence if > an earlier authentication Scheme fails). > > > <target path="/daisy/repository/authentication/authenticator"> > <configuration> > <!-- Indicates which authentication scheme to use, if any, to automatically create new users. --> > <authenticationSchemeForUserCreation>ntlm1</authenticationSchemeForUserCreation> > <authenticationSchemeForUserCreation>ntlm2</authenticationSchemeForUserCreation> > <authenticationSchemeForUserCreation>ntlm3</authenticationSchemeForUserCreation> > </configuration> > </target> > This seems to be a simple way of allowing daisy to automate the > creation new users with different roles using a range of > different authentication schemes. > > > > Best regards > > > > > Tim > > > > > Hi > > > > I running in to a problem with the NTLM user authentication scheme > > and was wondering if the daisy list could provide some pointers on > > my potential solutions. > > > > I'm successfully set up Daisy to authenticate users against the NTLM > > domain controller, the users are created. Everything's great :-) > > > > The problem I'm experiencing is that we'd actually like users to be > > allocated different roles based upon the group they belong to in the > > windows domain. For example, users in the student group of the > > windows domain should be assigned the role of student in daisy. > > Similarly, users belonging to the staff group of the windows domain > > should be assigned the role of staff. Our IT chaps require this to > > ensure the > > > > I've searched the daisy documentation and looked through the source > > code for the authentication scheme (services/ntlm-auth). Both > > sources don't appear to offer any guidance on how (or if) groups can > > be incorporated in the set up of an authentication scheme. > > > > Thanks in advance > > > > Tim > > > > > > > > ______________________________________________ > > Tim McDonald > > > > Research Assistant > > > > Dept of Mechanical Engineering > > University College London > > _______________________________________________ > > daisy community mailing list > > Professional Daisy support: > > http://outerthought.org/en/services/daisy/support.html > > mail to: daisy@... > > list information: http://lists.cocoondev.org/mailman/listinfo/daisy > > > > _______________________________________________ > daisy community mailing list > Professional Daisy support: http://outerthought.org/en/services/daisy/support.html > mail to: daisy@... > list information: http://lists.cocoondev.org/mailman/listinfo/daisy daisy community mailing list Professional Daisy support: http://outerthought.org/en/services/daisy/support.html mail to: daisy@... list information: http://lists.cocoondev.org/mailman/listinfo/daisy |
| Free Forum Powered by Nabble | Forum Help |