Copy link to clipboard
Copied
Hello. How do I get ColdFusion 8 to use an Active Directory in Server 2003/8 (NTLM) to authenticate users? I want users to login to the site using their domain information. The server runs Apache... Do I need IIS?
Thanks!
I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data. The usual rate for that type of work is $100 US/hour plus travel expenses and up.
<cfldap action="query"
server="{name or IP of AD server}"
name="returnQry"
start="{starting branches of LDAP tree to search}"
filter="{filterString}"
username="{domain}\#FORM.USERNAME#"
password=
...
Copy link to clipboard
Copied
IIS is the normal web server to use 'windows integrated security'. I have seen NTML modules for Apache, but I have never used one.
Copy link to clipboard
Copied
OK. So if I reconfigure the web server to use IIS, how do I setup CF8 to use the AD for authentication? The AD is on a separate machine, but same network.... Do you have an example?
Thanks a lot!
Copy link to clipboard
Copied
ColdFusion has little knowledge or care of the Active Directory server.
This is all handled by the web server. Once you have IIS set up using Windows Inegrated Security. It takes care of all the work. Populates the cgi.AUTH_USER variable and passess everything to ColdFusion. So the minimal CFML code is simple this.
<cfoutput>
#cgi.AUTH_USER#
</cfoutput>
<cfif listLast(cgi.AUTH_USER,'\') EQ "iskinner">
YOU ARE IAN SKINNER YOU CAN'T SEE THIS PAGE
<cfabort>
</cfif>
If you want to use more information from the active directory data store the <CFLDAP...> tag is the natural extension of this funtionality. The documentation has plenty of information on how to configure and use it. With this tag, you can get user groups, check their password, find full name, phone numbers and whatever else you may be stroring in your Active Directory tree.
Copy link to clipboard
Copied
Thank you! I will try this out once I configure IIS.
Once I have the user logged in, I can set access via <cfif> tags based on username/groups from <cfldap>, right?
Copy link to clipboard
Copied
You don't need <cfldap> for the username that will already be provided by the web server.
But for groups or other data associated with that user account in Active Directory, yes you would use <cfldap....> which will return a record set of the specified data that you can then use in other decision and|or looping logic.
Copy link to clipboard
Copied
OK. Thanks... But how do I actually login with a username and password? I have a simple login for with the input boxes I need, but how do I get that to authenticate into the AD and start a session?
Copy link to clipboard
Copied
If you use windows integrated security in IIS then you do not need the form. The webserver and the browser takes care of all of this themseleves. With an IE browser on a windows client it will happen automatiacly. With other browsers, such as FireFox, they will usually display a dialog box to the user. Some browsers do not support NTLM.
If you want to use your form, you do not need the windows integrated security or NTLM. You would just collect the username and password and pass those to the <cfldap...> tag. If the correctly configured <cfldap...> tag returns a record set then the user name and password are correct, if it does not, then they are not correct.
<cfldap action="query"
server="{ActiveDirectoryServer}"
name="returnQry"
start="OU=HQ Users,OU=DPR Users,DC=inside,DC=cdpr,DC=ca,DC=gov"
filter="{filterString}"
username="{domain}\{username}"
password="{password}"
attributes = "{attributes}">
<cfdump var="#returnQry#">
Copy link to clipboard
Copied
OK. So I guess I will use LDAP than to login with a form, as I want a login page, not a dialog box. Do I still need IIS, or will Apache work?
Attached is what I have so far.... How do I get that to actually login though? I'm not sure how to connect my login page to <cfldap> and work from there...
Thanks so much!
Copy link to clipboard
Copied
Yeah, if you are not using IIS's Windows Integrated Security, then you probably do not need IIS.
Just be aware of the pitfalls of using a plain text form for security. I.E. there is encrtypion at the tcp/ip level those user names and passwords are going to be transfered accross the network in plain text. You will probably need to combine your login form with some SSL configuration on your web server.
Copy link to clipboard
Copied
I was planning on using HTTPS with LDAP/S. I just need to figure out how to get that login for to use LDAP to authenticate... How would that be done? I'm not sure what code goes where...
Copy link to clipboard
Copied
The parameters of the <cfldap..> tag are strings.
That can be hand coded string literal constants or they can be variables that contain strings.
Such as form scope variables.
It is a pretty straight forward process from there once you know the proper connection information for you Active Directory server.
Copy link to clipboard
Copied
The <cfldap> tag isn't where I have the issue. I know how to get the information with the query.... but how do I combine <cfldap> with my login page to create an authentication mechanism? That is where I am stuck...
Thanks. 🙂
Copy link to clipboard
Copied
I can not go much father with out me, or some other contractor, comming to your site and writing your code for you after interviewing your network adminstrator of the correct data. The usual rate for that type of work is $100 US/hour plus travel expenses and up.
<cfldap action="query"
server="{name or IP of AD server}"
name="returnQry"
start="{starting branches of LDAP tree to search}"
filter="{filterString}"
username="{domain}\#FORM.USERNAME#"
password="#FORM.PASSWORD#"
attributes = "{attributes}">
<cfif returnQry.recordCount GTE 1>
<!---- user has been authenticated against the active directory do something about it. --->
<cfelse>
<!--- user has failed to authenticate against the active directory do something about it. --->
</cfif>
The ColdFusion documentation has sample code very similar to what is being provided here.
Copy link to clipboard
Copied
Thanks. That is what I needed to connect the form to the <cfldap>.
username="{domain}\#FORM.USERNAME#"
password="#FORM.PASSWORD#"
Thank you SO much!
Now I just need to get that into a session... Thanks again.
Copy link to clipboard
Copied
NTLM security support is available under Apache. "mod_ntlm" (or "mod_auth_ntlm") can be installed to do it.
It is certainly true, however, that if you have IIS readily available (as you probably do), and if it will work just-as-well as Apache in your case, it does make good sense to "do as the Romans do." An academic exercise, while interesting, is also unprofitable.
In any case, this module (like mod_auth_ldap) can be used to secure the entire site "in one swell foop." If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known. This is "the way to go" for intranets.
Copy link to clipboard
Copied
I agree with " If the user manages to get into the site at all, he has passed authentication and his Windows credentials are known. This is "the way to go" for intranets." as stated by TLC-IT. If you decide to use Windows integrated authentication with IIS this Adobe technote may be useful to you.
http://kb2.adobe.com/cps/185/tn_18516.html