|
»
»
»
« Return to Thread: How to make it unsuccessful authentication ??
Re: How to make it unsuccessful authentication ??
by Jason Morrill
::
Rate this Message:
So let me rephrase you're request just to make sure I understand what you're
asking for:
A user sucessfully logs into a server. Then their account is immediately locked
out so they cannot log in again for a period of time. Perhaps you're doing this
because you don't want a user to log into a server more than once is a 5 minute
period, for example ?
I'm not sure that pamLDAP is the proper place to look for the solution.
The way I see it you need one of these solutions:
1) The LDAP Directory locks an account after a successful (or even unsuccessful)
log in.
2) Your application, which is using pamLDAP to speak the the Directory, needs to
cache the user's name and temporarily block them from re-connecting for a period
of time.
If you're the developer for a particular application then I'd suggest going with
solution #2. If you're the administrator of the Directory then perhaps you can
find a solution there.
Thanks!
Jason Morrill
IT Manager
Child & Family Agency of Southeastern Connecticut
(860) 443-2896 x1422
Quoting Jyotishmaan <jyotishmaan@...>:
>
>
>
> Yes, I agree with you.
>
> My question remains unasnwered as it could not be understood!!!!
>
> Here it goes once again:-
>
> A user x logs onto his system say-"x" which then is being checked with the
> stored entry in the openldap database, and if it only matches that, the
> authentication process is said to be successful and the user is said to have
> successful authentication from his system "x" to the server say "y".
>
> Well after this phase of authentication, comes authirization, as such to
> check -"who has been granted what" ?
>
> My question, was it is possible to suspend a user to successfully log onto
> the server system, without affectinng his password etc for a short period of
> time something called "quarantine" , plz correct me if i am wrong. This i
> need to set up in my kind of adminitration where the users has been given
> limited access privleges and downloading capacities etc.
>
> Plz Give me some pointers !!!
>
>
>
> Jason Morrill wrote:
> >
> > Perhaps I'm as confused as everyone else on this list.
> >
> > Security is typical two-fold:
> > 1) Authentication = the username exists in the system and the password
> > matches
> > 2) Authorization = the username is allows to do what is being asked
> >
> > In many systems Authentication is all that is needed to get in the 'front
> > door'.
> > Authorization is left for more detailed security measures.
> >
> > For example:
> > Let's say we have a basic Webmail application. Bob, enters his information
> > into
> > a 'login' screen. That information is then **Authenticated** against the
> > Directory using LDAP. Let's say he entered the correct info. So now he's
> > part
> > way into the Webmail system. Now Webmail checks Bobs **Authorization** to
> > see
> > if it should show him links to things like 'Admin' and 'Edit Global
> > Addresbook'. Since Bob is not Authorizated for that level he doesn't see
> > those
> > options.
> >
> > For a further elaboration on authentication vs. authorization:
> > http://en.wikipedia.org/wiki/Authorization
> >
> > I know this doesn't answer your question but I don't think anyone here
> > understands your question. Perhaps the information I've outlined above
> > will
> > help you to rephrase it so we can understand what you're asking for.
> >
> > Jason
> >
> >
> > Quoting Jyotishmaan <jyotishmaan@...>:
> >
> >>
> >> Yes, i am sure you are wrong, as per my knowledge and experience with
> >> openldap.
> >>
> >> Please give some pointers on this-In what wayz can i make my request DN
> >> and
> >> not match with the entry stored in the database ?
> >>
> >>
> >>
> >> vsp_123 wrote:
> >> >
> >> > Hi,
> >> >
> >> > I always thought authorization came after authentication. But I guess
> >> > I could be wrong :)
> >> >
> >> > Prakash
> >> >
> >> >
> >> > On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
> >> >
> >> >>
> >> >> Hello List,
> >> >>
> >> >> Can anybody let me know if there are anywayz that, after
> >> >> authorization, authentication can be stopped ??
> >> >> In other words when a user logs on and he is being authorized and
> >> >> his entry is checked in the database but after that, is it possible
> >> >> to make it a unsuccessful authentication manually for a sepcific
> >> >> user ?
> >> >>
> >> >> This I want to do, in order to suspend the user to log on for some
> >> >> time, temporarily.
> >> >>
> >> >> Please throw some pointers in this direction !!!!
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Jyotishmaan Ray
> >> >
> >> > Prakash Velayutham
> >> > Programmer / Analyst
> >> > Cincinnati Children's Hospital Medical Center
> >> >
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> >
>http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16627298.html
> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >
>
> --
> View this message in context:
>http://www.nabble.com/How-to-make-it-unsuccessful-authentication----tp16605307p16646393.html
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
asking for:
A user sucessfully logs into a server. Then their account is immediately locked
out so they cannot log in again for a period of time. Perhaps you're doing this
because you don't want a user to log into a server more than once is a 5 minute
period, for example ?
I'm not sure that pamLDAP is the proper place to look for the solution.
The way I see it you need one of these solutions:
1) The LDAP Directory locks an account after a successful (or even unsuccessful)
log in.
2) Your application, which is using pamLDAP to speak the the Directory, needs to
cache the user's name and temporarily block them from re-connecting for a period
of time.
If you're the developer for a particular application then I'd suggest going with
solution #2. If you're the administrator of the Directory then perhaps you can
find a solution there.
Thanks!
Jason Morrill
IT Manager
Child & Family Agency of Southeastern Connecticut
(860) 443-2896 x1422
Quoting Jyotishmaan <jyotishmaan@...>:
>
>
>
> Yes, I agree with you.
>
> My question remains unasnwered as it could not be understood!!!!
>
> Here it goes once again:-
>
> A user x logs onto his system say-"x" which then is being checked with the
> stored entry in the openldap database, and if it only matches that, the
> authentication process is said to be successful and the user is said to have
> successful authentication from his system "x" to the server say "y".
>
> Well after this phase of authentication, comes authirization, as such to
> check -"who has been granted what" ?
>
> My question, was it is possible to suspend a user to successfully log onto
> the server system, without affectinng his password etc for a short period of
> time something called "quarantine" , plz correct me if i am wrong. This i
> need to set up in my kind of adminitration where the users has been given
> limited access privleges and downloading capacities etc.
>
> Plz Give me some pointers !!!
>
>
>
> Jason Morrill wrote:
> >
> > Perhaps I'm as confused as everyone else on this list.
> >
> > Security is typical two-fold:
> > 1) Authentication = the username exists in the system and the password
> > matches
> > 2) Authorization = the username is allows to do what is being asked
> >
> > In many systems Authentication is all that is needed to get in the 'front
> > door'.
> > Authorization is left for more detailed security measures.
> >
> > For example:
> > Let's say we have a basic Webmail application. Bob, enters his information
> > into
> > a 'login' screen. That information is then **Authenticated** against the
> > Directory using LDAP. Let's say he entered the correct info. So now he's
> > part
> > way into the Webmail system. Now Webmail checks Bobs **Authorization** to
> > see
> > if it should show him links to things like 'Admin' and 'Edit Global
> > Addresbook'. Since Bob is not Authorizated for that level he doesn't see
> > those
> > options.
> >
> > For a further elaboration on authentication vs. authorization:
> > http://en.wikipedia.org/wiki/Authorization
> >
> > I know this doesn't answer your question but I don't think anyone here
> > understands your question. Perhaps the information I've outlined above
> > will
> > help you to rephrase it so we can understand what you're asking for.
> >
> > Jason
> >
> >
> > Quoting Jyotishmaan <jyotishmaan@...>:
> >
> >>
> >> Yes, i am sure you are wrong, as per my knowledge and experience with
> >> openldap.
> >>
> >> Please give some pointers on this-In what wayz can i make my request DN
> >> and
> >> not match with the entry stored in the database ?
> >>
> >>
> >>
> >> vsp_123 wrote:
> >> >
> >> > Hi,
> >> >
> >> > I always thought authorization came after authentication. But I guess
> >> > I could be wrong :)
> >> >
> >> > Prakash
> >> >
> >> >
> >> > On Apr 10, 2008, at 3:08 AM, Jyotishmaan Ray wrote:
> >> >
> >> >>
> >> >> Hello List,
> >> >>
> >> >> Can anybody let me know if there are anywayz that, after
> >> >> authorization, authentication can be stopped ??
> >> >> In other words when a user logs on and he is being authorized and
> >> >> his entry is checked in the database but after that, is it possible
> >> >> to make it a unsuccessful authentication manually for a sepcific
> >> >> user ?
> >> >>
> >> >> This I want to do, in order to suspend the user to log on for some
> >> >> time, temporarily.
> >> >>
> >> >> Please throw some pointers in this direction !!!!
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Jyotishmaan Ray
> >> >
> >> > Prakash Velayutham
> >> > Programmer / Analyst
> >> > Cincinnati Children's Hospital Medical Center
> >> >
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> >
>
> >> Sent from the PAM LDAP mailing list archive at Nabble.com.
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >>
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> >
>
> --
> View this message in context:
>
> Sent from the PAM LDAP mailing list archive at Nabble.com.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
« Return to Thread: How to make it unsuccessful authentication ??
| Free Forum Powered by Nabble | Forum Help |