LDAP user validation

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

LDAP user validation

Justin Leavens
Can someone please help me understand the mechanisms I would use if I wanted to authenticate a user/password combination against an LDAP server? Do I...

1) use the user-supplied username/password to log into the LDAP server and see if the login works?

or

2) use a system username/password to log into the LDAP server, and the verify that the user-supplied username/password validates?

If it's #1, I assume I could use the 4D LDAP Login and Logout to accomplish. If it's #2 (and I'm guessing it is) then what do I use to validate the user-supplied username / password? Am I doing an LDAP search of some kind using the 4D command LDAP Search? Or is there some other operation that needs to take place? I'm in v16 for reference.

thanks in advance!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
if you haven't already,
I would invite you to watch this short clip:

http://blog.4d.com/single-sign-on-sso/

it's about a different feature, SSO,
but LDAP does get a mention in the latter part of the demo.

1) use the user-supplied username/password to log into the LDAP server and
see if the login works?

no you do not.

you use LDAP to lookup a person't credentials in the company,
but you do not user their passwords to login to LDAP,
you use a system user name and password hardcoded in server-side code.

in this example,

http://doc.4d.com/4Dv16/4D/16/LDAP-LOGIN.301-3035949.en.html

the system logs in to LDAP as "John Smith",
with a hard-coded user name and password,
in order to lookup the credentials for "John Doe", the current user.
the password was entered in the 4D login dialog the usual way,
it was verified in 4D,
LDAP was not involved in the verification.

integrating Active Directory, or rather, delegating 4D user login to the domain server s a different feature.

http://doc.4d.com/4Dv16R2/4D/16-R2.1620/Single-Sign-On-SSO-on-Windows.300-3176522.en.html



**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
In reply to this post by Justin Leavens
Hello,

I am curious about this as well.  

We are using 4D as a web server.  We are being provided the Active Directory SAM-Account-Name and password for a user.  We do not have the user passwords stored in 4D and need to validate their username/password against Active Directory.

Is there a way to login to Active Directory using 4D's LDAP LOGIN with an admin/service account and then validate the username/password of other users by using 4D's LDAP Search?

If not it seems the only way is to attempt an LDAP LOGIN to validate a given username/password.  It seems like that is what some other delegation services are doing but I might be mistaken?  For example:
https://auth0.com/docs/connector
https://confluence.atlassian.com/doc/connecting-to-an-internal-directory-with-ldap-authentication-229838462.html

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
In reply to this post by Justin Leavens
You do a “bind” to verify the username/password. Ie. It is authentication.

On a low level, authentication against an LDAP server is

1. Open a connection
2. Try to bind
3. Unbind – if you’re feeling generous
4. Close the connection

if you got a success from the bind it means you sent the correct “distinguishedName” and password combination.


On 6/9/17, 8:19 PM, "4D_Tech on behalf of Justin Leavens via 4D_Tech" <[hidden email] on behalf of [hidden email]> wrote:

    Can someone please help me understand the mechanisms I would use if I wanted
    to authenticate a user/password combination against an LDAP server? Do I...
   
    1) use the user-supplied username/password to log into the LDAP server and
    see if the login works?
   
    or
   
    2) use a system username/password to log into the LDAP server, and the
    verify that the user-supplied username/password validates?
   
    If it's #1, I assume I could use the 4D LDAP Login and Logout to accomplish.
    If it's #2 (and I'm guessing it is) then what do I use to validate the
    user-supplied username / password? Am I doing an LDAP search of some kind
    using the 4D command LDAP Search? Or is there some other operation that
    needs to take place? I'm in v16 for reference.
   
    thanks in advance!
   
   
   
    --
    View this message in context: http://4d.1045681.n5.nabble.com/LDAP-user-validation-tp5752526.html
    Sent from the 4D Tech mailing list archive at Nabble.com.
    **********************************************************************
    4D Internet Users Group (4D iNUG)
    FAQ:  http://lists.4d.com/faqnug.html
    Archive:  http://lists.4d.com/archives.html
    Options: http://lists.4d.com/mailman/options/4d_tech
    Unsub:  mailto:[hidden email]
    **********************************************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
BTW, if you want some 4d code looking examples, I left the docs for LDAP 4d up on my site

See http://www.adogandhisboy.com/manual/Sample.html

On 6/12/17, 10:55 AM, "4D_Tech on behalf of Tom Swenson via 4D_Tech" <[hidden email] on behalf of [hidden email]> wrote:

    You do a “bind” to verify the username/password. Ie. It is authentication.
   
    On a low level, authentication against an LDAP server is
   
    1. Open a connection
    2. Try to bind
    3. Unbind – if you’re feeling generous
    4. Close the connection
   
    if you got a success from the bind it means you sent the correct “distinguishedName” and password combination.
   

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
In reply to this post by Justin Leavens
On Jun 12, 2017, at 2:52 AM, Welsh Harris wrote:

> I am curious about this as well.  
>
> We are using 4D as a web server.  We are being provided the Active Directory SAM-Account-Name and password for a user.  We do not have the user passwords stored in 4D and need to validate their username/password against Active Directory.
>
> Is there a way to login to Active Directory using 4D's LDAP LOGIN with an admin/service account and then validate the username/password of other users by using 4D's LDAP Search?
>
> If not it seems the only way is to attempt an LDAP LOGIN to validate a given username/password.  It seems like that is what some other delegation services are doing but I might be mistaken?  For example:

The way that I understand it is you just need to verify that the user has access to the 4D system. You want to use the company’s Active Directory (AD) to store this information. You will use LDAP to query AD for this information. That’s basically what you want to accomplish.

IT Administrators handle updating AD. When someone new is hired they create a new AD entry for the user giving them a user name and password. They also indicate what shares the user has access to, telephone numbers, addresses, the department in the company the person works for, the supervisor name, etc. You can store a lot of information in AD if you want to. So you just want to include one more piece of info for the user — can they access this 4D system.

To use LDAP you need a user name and password to access the system. This IS NOT the user name and password of the user you want to verify has access to the 4D system. You use a user name and password that provides access to AD. Then once you have connected to AD you can query for the information you want.

Next you need to decide how you want to store “this user can access the 4D system” information inside AD. Here are a couple of options:

- Choose an existing AD attribute and store this information in. For example “otherPager” attribute. It’s not being used for anything now, so if the user can access the 4D system put “4D” in the “otherPager” attribute. Then when you query AD for the user name you get the value of “otherPager” and if it contains “4D” you know the user can access the system.

- You create a “Custom Attribute” in AD to store the 4D access information. Maybe you give the attribute the name “accessTo4D”. Then you set that attribute to something for users that can access the 4D system.

https://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx

Since AD is a secure database that only a trusted few can modify you can rely on the information being correct. I don’t really see a need to storing a password to the 4D system in AD. You certainly could do that, and when you query AD with LDAP you can get the 4D password stored for the user and you could validate that. But then you have to deal with handling changes to the 4D password. When do you change it in the 4D system? When/how do you make sure it gets updated to the same value in AD?

Here is where 4D’s new single-sign-on (SSO) feature fits in. 4D can now provide you with a verified accurate Windows Username for the current user. The username is guaranteed to be already validated and verified with AD. The user has already provided a valid password for the username and logged into the computer.

Here is the situation you want to avoid. Say you have a username of “timnevels” setup in AD. Someone knows that’s my username, but they don’t know my password to log in to my Windows account. So they bring to work a laptop from home and they create an account on that laptop for “timnevels”. They use whatever password they want — it’s their personal computer. Now they plug it into the company network. From their fake “timnevels” account they start up 4D Client and connect to 4D Server. See the problem… it looks like the real “timnevels” is logged in, but it’s really a fake “timnevels”. The new 4D SSO feature prevents this kind of spoofing. Also it allows all querying of AD to occur from the 4D Server machine instead of happening from each 4D Client machine.

I have plans this summer to upgrade one of my clients to v16 and use SSO to verify access to the 4D System. I’ll work with IT to have them set up a group of custom attributes that my 4D system will use. I will move all my permissions and privileges that are currently stored in the 4D data file into these AD custom attributes. Then it will become ITs job to maintain this information. And that is actually what they want. They want complete control of what a user can do. What shares they can access, can they access the 4D system, what tables can they access in 4D, can they delete records, etc.

So when the get a new user they will setup all the 4D system access information in AD when they create the user’s account. And when they terminate the user, it will automatically turn off all 4D system access.

At least that’s the idea...

Tim

********************************************
Tim Nevels
Innovative Solutions
785-749-3444
[hidden email]
********************************************

**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
Tim,

Fantastic post! Thanks for spelling out all of the various details with
clear examples and commentary. I've somehow managed to avoid LDAP and SSO
so far (although I have a lingering need for CAS3), so your explanation is
much appreciated.
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: LDAP user validation

4D Tech mailing list
If all you want is Single Sign On without any additional LDAP lookups, then check out this 3 minute video that walks you through the steps needed for setting up SSO:
http://kb.4d.com/assetid=77660

-Tim PENNER



**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: LDAP user validation

4D Tech mailing list
Thanks (another!) Tim. In this case, CAS3 is a requirement which I don't
think 4D readily supports. It's great that you guys are putting up little
video snippets in the KB. Which reminds me to also say "check out the 4D
Blog." I don't think to visit it often enough, but it's really good. Very
professionally done, and lots of little-medium sized chunks:

http://blog.4d.com/

It's got sort of a technical marketing style, and that's perfect for new
features that you don't know much about.

On Tue, Jun 13, 2017 at 8:50 AM, Timothy Penner via 4D_Tech <
[hidden email]> wrote:

> If all you want is Single Sign On without any additional LDAP lookups,
> then check out this 3 minute video that walks you through the steps needed
> for setting up SSO:
> http://kb.4d.com/assetid=77660
>
> -Tim PENNER
>
>
>
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:[hidden email]
> **********************************************************************
>
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:[hidden email]
**********************************************************************
Loading...