Forum OpenACS Q&A: Authentication

Collapse
Posted by Carl Robert Blesius on
I know of two available methods of authentication for ACS:ldap
and internal.

Are there other ways to authenticate users for an ACS site?

Can the two be mixed (check ldap first then check internal)?

Anyone doing something like this with OpenACS?

Collapse
2: Response to Authentication (response to 1)
Posted by Jamie Rasmussen on
Check out these threads: For a small demonstration site I hacked OpenACS to authenticate a user to a Windows domain using ADSI LDAP. It would fall back upon the standard login process. It only required minor changes to OpenACS files.
Collapse
3: Response to Authentication (response to 1)
Posted by Carl Robert Blesius on

In the meantime I found those threads and I am glad I didn't have to answer myself (thank you Jamie 😉. The fact that you got OpenACS to authenticate against Windows Active Directory is exciting. Heterogeneous sources of authentication are commonplace in large organizations, and the fact that fall back authentication can be done is important. At our university there are plans to implement a university wide directory (in fact this morning I heard that Windows Active Directory is being seriously considered) so your post could not have had better timing.

Although it is not something that we would be able to test right now could you elaborate a little (I am sure there are others that would be interested in knowing how and when you did this)? Do you think your (carefully honed) modifications could eventually be used in a production environment with thousands of users?

Collapse
4: Response to Authentication (response to 1)
Posted by Jamie Rasmussen on
About six weeks ago I wanted to setup an OpenACS 4 bboard as a kind of "online suggestion box". This was really just a mockup for a very few users to demonstrate OpenACS's email alerts and other features, so I didn't worry about being sloppy. Because of that and because I'm working on Windows 2000, this would not be the way to go for a production environment with thousands of users. If I were doing this for a real site, I would probably have used nsldap, SSL, an option to not do the fallback, etc.

I wrote a Perl script that takes a name and password and checks it against the Active Directory via LDAP. It used Win32::OLE. If authentication succeeds, the script fetches the user's full name from the AD and prints it. The Perl script just gets exec'ed from a TCL function that checks the return value and any output.

All of the changes I made to OpenACS were in acs-subsite/www/register/. Most of them were small things, like changing the ADP pages to say "Windows Username" instead of "Email". The authentication logic in user-login.tcl is the only real code that needs to be changed. If authentication succeeds, I check the username against the existing OpenACS accounts. If it is not there, I create the user using the first and last names returned by the Perl script. If ADSI authentication fails it uses the built-in authentication. Since this was a toy installation, I didn't bother with deleting accounts, etc.