Forums / General / LDAP credentials passthru

LDAP credentials passthru

Previous topic

General

Next topic

Author	Message
Quoc Huy Nguyen Dinh	Friday 12 December 2008 7:59:30 am Hi, I would like to implement the following and wanted to see how it would be possible. We have an extranet where our staff have to connect to in order to access content sensitive internal sites. One of those is running on ez publish. The issue is the user have to login first into the extranet system that uses LDAP. Then when he clicks on the ez publish site links, the extranet rewrites the URL to have it runs thru a sort of proxy, example: the internal site is www.mysite.com and would be rewritten to https://myextranet.com/,DanaInfo=www.mysite.com,SSO=U+ Once on that proxied page, he will have to login again into ez publish. We have a forum inside that internal page and that internal page is a siteaccess to a subtree of another website which is accessible to the public without going thru the extranet. Thus we need to activate login in the internal site. But we would like to have the visitor login only once thru the extranet and have a pass thru system that sends the credentials to ez publish. Is that possible? As from what I understand, if I activate LDAP login in ez publish, the visitor still needs to login a second time. Thanks
Gaetano Giunta	Saturday 13 December 2008 9:24:52 am Well, if the user needs to login (to ldap backend) first to clear authentication to the rewriting proxy, I would suggest to: - create a new siteaccess to be used for browsing internal-from-outside - lock it via apache rules so that it cannot be accessed from internal net but only from the IP of the proxy - do not activate ldap login on this siteaccess, as ldap is checked by the proxy, but rather - create a custom SSO handler in eZ Publish, that checks if the proxy has set some appropriate credentials for the user. This can be done generally by having the proxy set some cookie into the browser session or other stuff You are correct about your assumption: if you just activate ldap logon, user will be asked to login twice. Principal Consultant International Business Member of the Community Project Board
Quoc Huy Nguyen Dinh	Monday 15 December 2008 4:14:39 am I see, nice idea. Merci

Author

Message

Quoc Huy Nguyen Dinh

Friday 12 December 2008 7:59:30 am

Hi,

I would like to implement the following and wanted to see how it would be possible.

We have an extranet where our staff have to connect to in order to access content sensitive internal sites. One of those is running on ez publish.

The issue is the user have to login first into the extranet system that uses LDAP. Then when he clicks on the ez publish site links, the extranet rewrites the URL to have it runs thru a sort of proxy, example: the internal site is www.mysite.com and would be rewritten to https://myextranet.com/,DanaInfo=www.mysite.com,SSO=U+

Once on that proxied page, he will have to login again into ez publish.

We have a forum inside that internal page and that internal page is a siteaccess to a subtree of another website which is accessible to the public without going thru the extranet. Thus we need to activate login in the internal site. But we would like to have the visitor login only once thru the extranet and have a pass thru system that sends the credentials to ez publish.

Is that possible?
As from what I understand, if I activate LDAP login in ez publish, the visitor still needs to login a second time.

Thanks

Gaetano Giunta

Saturday 13 December 2008 9:24:52 am

Well, if the user needs to login (to ldap backend) first to clear authentication to the rewriting proxy, I would suggest to:
- create a new siteaccess to be used for browsing internal-from-outside
- lock it via apache rules so that it cannot be accessed from internal net but only from the IP of the proxy
- do not activate ldap login on this siteaccess, as ldap is checked by the proxy, but rather
- create a custom SSO handler in eZ Publish, that checks if the proxy has set some appropriate credentials for the user. This can be done generally by having the proxy set some cookie into the browser session or other stuff

You are correct about your assumption: if you just activate ldap logon, user will be asked to login twice.

Principal Consultant International Business
Member of the Community Project Board

Quoc Huy Nguyen Dinh

Monday 15 December 2008 4:14:39 am

I see, nice idea.

Merci