[pubcookie-users] Pubcookie LDAP authentication

Jim Fox fox at cac.washington.edu
Mon Jul 12 09:09:21 PDT 2004 

This seems like an awkward mix of authn and authz at pubcookie,
which, at the moment, is not designed to do the authz part.

The only way this could work and keep the sso feature would
be to authenticate against all the ldap servers on first contact.
Then successful auths would have to be cached.

A better way to do the authz part would be to assign attributes
to the users' records (student, staff, etc.) and look for those
attributes at the application - could be an apache module.

Jim




On Fri, 9 Jul 2004, Anil Vinjamur wrote:

> Date: Fri, 9 Jul 2004 16:22:10 -0500
> From: Anil Vinjamur <vinjamur at olemiss.edu>
> To: Nathan Dors <dors at cac.washington.edu>
> Cc: pubcookie-users at u.washington.edu, Tom Jordan <tjordan at doit.wisc.edu>
> Subject: Re: [pubcookie-users] Pubcookie LDAP authentication
> 
> Nathan,
>
>   I am hoping that we should be able to send in the ldap_uri name
> (ldap_uri11 or ldap_uri2 etc..) through the pubcookie client just like we
> specify the pubcookie appid through apache and let the login server resolve
> which ldap_uri to use based on the input from client.
>
> for example, if the pubcookie client sends in ldap_uri1, the login server
> checks the config for the corresponding ldap_uri and authenticates with that
> uri. The advantage would be to allow few applications to specific set of
> users only ( for example, students only or faculty only)  based on the LDAP
> access controls of the specified bind user.
>
> So, I guess the answer to your question is: *any* one of the LDAP URIs
> specified.
>
> Thanks,
> Anil
>
>
>
> ----- Original Message -----
> From: "Nathan Dors" <dors at cac.washington.edu>
> To: "Anil Vinjamur" <vinjamur at olemiss.edu>
> Cc: <pubcookie-users at u.washington.edu>; "Tom Jordan" <tjordan at doit.wisc.edu>
> Sent: Friday, July 09, 2004 4:03 PM
> Subject: Re: [pubcookie-users] Pubcookie LDAP authentication
>
>
>>
>> Hi Anil,
>>
>>> I was wondering if it is possible to authenticate LDAP users using
> multiple
>>> logins. Has any one tried that before?
>>
>> Not that we've heard of.
>>
>>> It would be nice if we can pass the ldap_uri that we want to use (eg:
>>> ldap_uri1 etc..) and ldap_uri1, ldap_uri2.. and so on setup on the login
>>> server and have each uri login as separate user in LDAP.
>>
>> Are you saying that to successfully authenticate the
>> user's credentials that they should be verified
>> against *all* of the LDAP uri's or *any* one of them?
>>
>> The folks at Wisconsin were recently asking about
>> multiple authentication repositories, and I think
>> they're using LDAP, so maybe some requirements could
>> be generated out of this discussion.
>>
>> -Nathan
>>
>>
>>
>>
>
> _______________________________________________
> pubcookie-users mailing list
> pubcookie-users at u.washington.edu
> http://mailman.u.washington.edu/mailman/listinfo/pubcookie-users
>

More information about the pubcookie-users mailing list