Forum OpenACS Q&A: Authentication
Are there other ways to authenticate users for an ACS site?
Can the two be mixed (check ldap first then check internal)?
Anyone doing something like this with OpenACS?
- https://openacs.org/bboard/q-and-a-fetch-msg.tcl?msg_id=0002bP&topic_id=11&topic=OpenACS For a small demonstration site I hacked OpenACS to authenticate a user to a Windows domain using ADSI LDAP. It would fall back upon the standard login process. It only required minor changes to OpenACS files.
In the meantime I found those threads and I am glad I didn't have to answer myself (thank you Jamie . The fact that you got OpenACS to authenticate against Windows Active Directory is exciting. Heterogeneous sources of authentication are commonplace in large organizations, and the fact that fall back authentication can be done is important. At our university there are plans to implement a university wide directory (in fact this morning I heard that Windows Active Directory is being seriously considered) so your post could not have had better timing.
Although it is not something that we would be able to test right now could you elaborate a little (I am sure there are others that would be interested in knowing how and when you did this)? Do you think your (carefully honed) modifications could eventually be used in a production environment with thousands of users?
I wrote a Perl script that takes a name and password and checks it against the Active Directory via LDAP. It used Win32::OLE. If authentication succeeds, the script fetches the user's full name from the AD and prints it. The Perl script just gets exec'ed from a TCL function that checks the return value and any output.
All of the changes I made to OpenACS were in acs-subsite/www/register/. Most of them were small things, like changing the ADP pages to say "Windows Username" instead of "Email". The authentication logic in user-login.tcl is the only real code that needs to be changed. If authentication succeeds, I check the username against the existing OpenACS accounts. If it is not there, I create the user using the first and last names returned by the Perl script. If ADSI authentication fails it uses the built-in authentication. Since this was a toy installation, I didn't bother with deleting accounts, etc.