Menu
▾
▴
Re: authentication in a cgi context
|
From: Mark W. <mew...@un...> - 2000-06-05 15:28:49
|
On Sun, 4 Jun 2000, David Leigh wrote: > I am looking for a clean way to securely authenticate a cgi script to > LDAP. Here are a couple scenarios that I could use some help with: > > Scenario 1: > 1) User brings up an authenticated cgi in their browser > 2) The web server prompts for username & passwd, authenticates the user, > and runs the cgi > 3) The cgi binds to the LDAP server as the authenticated user > 4) User pulls data, makes changes, etc... > > I don't care much what method of authentication is used (Unix, LDAP, > Kerberos, etc...) It seems like Kerberos would be appropriate in this > case, but does perl-ldap support kerberos? LDAP v3 allows you to use different authentication mechanisms via SASL and Net::LDAP supports SASL (it's not widely tested so I can't say how well). Of course, is this CGI script designed to update an LDAP server or is it doing something else and you're looking for a network authentication system? If it's designed to update an LDAP server then you must use LDAP to authenticate. If you're simply authenticating a CGI script for something else and you want to use kerberos, then you don't LDAP at all. > > Scenario 2: > 1) User hits the authenticated cgi > 2) The web server authenticates the user and runs the cgi > 3) The cgi binds to the LDAP server as a predefined user, ie. > "webadmin". > 4) User pulls data, makes changes, etc... and the LDAP server thinks > it's "webadmin" that's doing all the work. > > The trick here is that I don't want the password for "webadmin" to be > accessible to users. The way I have it now, anyone looking can bind to > the LDAP server as "webadmin" after looking at the cgi source. Is there > any way to set this up so that the password is not opaque? No. But then your CGI source code should only be read by people who have shell access to your server. I really don't like using things like this to update the server because it puts all of the access controls on your application instead of using LDAP's. It looks like (you didn't really give us a lot of information to go on here) that you're trying to develop a CGI program to update an LDAP server. In this case you should use LDAP to authenticate. Now if you have your LDAP server setup to do SASL with Kerberos instead of simple authentication, then you can use that if you want. Mark > > Thanks, > -David > > |
