[daisy] Fwd: NTLM and groups

Tue Jul 8 18:17:50 CEST 2008

Steven

Thanks for the response. I'll have a crack at creating my own auth  
scheme. For anyone else wanting to go down this route I think that  
jcifs (the library used for ntlm authentication) can't deal with  
groups directly. However, jcifs provides a suggested work around...

http://jcifs.samba.org/src/docs/api/jcifs/smb/SmbSession.html

The class represents a user's session established with an SMB/CIFS  
server. This class is used internally to the jCIFS library however  
applications may wish to authenticate aribrary user credentials with  
the logon method. It is noteworthy that jCIFS does not support DCE/RPC  
at this time and therefore does not use the NETLOGON procedure.  
Instead, it simply performs a "tree connect" to IPC$ using the  
supplied credentials. This is only a subset of the NETLOGON procedure  
but is achives the same effect. Note that it is possible to change the  
resource against which clients are authenticated to be something other  
than IPC$using the jcifs.smb.client.logonShare property. This can be  
used to provide simple group based access control. For example, one  
could setup the NTLM HTTP Filter with the  
jcifs.smb.client.domainController init parameter set to the name of  
the server used for authentication. On that host, create a share  
called JCIFSAUTH and adjust the access control list for that share to  
permit only the clients that should have access to the target website.  
Finally, set the jcifs.smb.client.logonShare to JCIFSAUTH. This should  
restrict access to only those clients that have access to the  
JCIFSAUTH share. The access control on that share can be changed  
without changing init parameters or reinitializing the webapp.

Cheers

Tim

______________________________________________
Tim McDonald

Research Assistant

Dept of Mechanical Engineering
University College London

On 8 Jul 2008, at 15:30, Steven Noels wrote:

>
> On 08 Jul 2008, at 16:22, Tim McDonald wrote:
>
>> Hi
>>
>> I running in to a problem with the NTLM user authentication scheme  
>> and was wondering if the daisy list could provide some pointers on  
>> my potential solutions.
>>
>> I'm successfully set up Daisy to authenticate users against the  
>> NTLM domain controller, the users are created. Everything's great :-)
>>
>> The problem I'm experiencing is that we'd actually like users to be  
>> allocated different roles based upon the group they belong to in  
>> the windows domain.  For example, users in the student group of the  
>> windows domain should be assigned the role of student in daisy.  
>> Similarly, users belonging to the staff group of the windows domain  
>> should be assigned the role of staff. Our IT chaps require this to  
>> ensure the
>>
>> I've searched the daisy documentation and looked through the source  
>> code for the authentication scheme (services/ntlm-auth). Both  
>> sources don't appear to offer any guidance on how (or if) groups  
>> can be incorporated in the set up of an authentication scheme.
>
>
> Tim,
>
> you're looking in the correct place but won't find anything since  
> groups are currently not supported in the current scheme(s). As  
> you've been reading the source code, I'm sure you found out that  
> it's pretty easy to add your own auth scheme which does what you  
> want there.
>
> http://cocoondev.org/daisydocs-2_3/373-cd/474-cd/470-cd/471-cd.html
>
> Hope this helps,
>
> </Steven>
> -- 
> Steven Noels                            http://outerthought.org/
> Outerthought                              Open Source Java & XML
> stevenn at outerthought.org              Makers of the Daisy CMS
>
> _______________________________________________
> daisy community mailing list
> Professional Daisy support: http://outerthought.org/en/services/daisy/support.html
> mail to: daisy at lists.cocoondev.org
> list information: http://lists.cocoondev.org/mailman/listinfo/daisy